Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1440164
MD5:72007357beb74fea20e7daa285212b16
SHA1:e37f50ace578fc3a69fb7a312a659d51491e32b0
SHA256:6a1bda6fa37b02776b44c80fc1d8329bd7fbd49ff46eaf37346e5c436a52ec9e
Tags:exeRiseProStealer
Infos:

Detection

PrivateLoader, RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected PrivateLoader
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 744 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 72007357BEB74FEA20E7DAA285212B16)
    • schtasks.exe (PID: 1368 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 3852 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • WerFault.exe (PID: 7448 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 2028 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 1436 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 72007357BEB74FEA20E7DAA285212B16)
    • WerFault.exe (PID: 7564 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1956 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • MPGPH131.exe (PID: 648 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 72007357BEB74FEA20E7DAA285212B16)
    • WerFault.exe (PID: 7584 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1908 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • RageMP131.exe (PID: 7236 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 72007357BEB74FEA20E7DAA285212B16)
  • RageMP131.exe (PID: 7768 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 72007357BEB74FEA20E7DAA285212B16)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
PrivateLoaderAccording to sekoia, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.privateloader

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\OGKFocHES6dDgKTCWPSJdQR.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    C:\Users\user\AppData\Local\Temp\8klzCUsmQMVYazLTWo6KoKU.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      C:\Users\user\AppData\Local\Temp\ZeTvTkc8PqqpWi0gm5JPfdt.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000003.00000002.2026410193.0000000000ABF000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
            00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              00000000.00000002.2017190533.00000000018FE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                00000003.00000002.2025872612.00000000009AD000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
                  Click to see the 18 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  3.2.MPGPH131.exe.f00000.0.unpackJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
                    6.2.MPGPH131.exe.f00000.0.unpackJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
                      0.2.file.exe.bb0000.0.unpackJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
                        16.2.RageMP131.exe.b80000.0.unpackJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security
                          7.2.RageMP131.exe.b80000.0.unpackJoeSecurity_PrivateLoaderYara detected PrivateLoaderJoe Security

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: CurrentVersion Autorun Keys Modification
                            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 744, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

                            Snort Signatures

                            Timestamp:05/12/24-12:02:58.333893
                            SID:2046266
                            Source Port:58709
                            Destination Port:49731
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:05/12/24-12:02:56.237225
                            SID:2046266
                            Source Port:58709
                            Destination Port:49730
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:05/12/24-12:02:57.482973
                            SID:2046267
                            Source Port:58709
                            Destination Port:49730
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:05/12/24-12:02:58.992753
                            SID:2046267
                            Source Port:58709
                            Destination Port:49731
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:05/12/24-12:03:17.954872
                            SID:2046266
                            Source Port:58709
                            Destination Port:49751
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:05/12/24-12:03:05.358724
                            SID:2046269
                            Source Port:49730
                            Destination Port:58709
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:05/12/24-12:03:06.218564
                            SID:2046269
                            Source Port:49731
                            Destination Port:58709
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:05/12/24-12:03:11.796109
                            SID:2046269
                            Source Port:49739
                            Destination Port:58709
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:05/12/24-12:03:08.562034
                            SID:2046269
                            Source Port:49736
                            Destination Port:58709
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:05/12/24-12:03:00.933956
                            SID:2046267
                            Source Port:58709
                            Destination Port:49736
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:05/12/24-12:03:07.984400
                            SID:2046266
                            Source Port:58709
                            Destination Port:49739
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:05/12/24-12:03:00.497224
                            SID:2046266
                            Source Port:58709
                            Destination Port:49736
                            Protocol:TCP
                            Classtype:A Network Trojan was detected
                            Timestamp:05/12/24-12:02:55.911761
                            SID:2049060
                            Source Port:49730
                            Destination Port:58709
                            Protocol:TCP
                            Classtype:A Network Trojan was detected

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus detection for URL or domain
                            Source: http://5.42.96.7/cost/go.exe-QAvira URL Cloud: Label: phishing
                            Source: http://5.42.96.7/cost/lenin.exe9Avira URL Cloud: Label: phishing
                            Source: http://5.42.96.7/cost/lenin.exeAvira URL Cloud: Label: malware
                            Source: http://5.42.96.7/cost/go.exeOwAvira URL Cloud: Label: phishing
                            Source: http://5.42.96.7/cost/go.exeAvira URL Cloud: Label: phishing
                            Source: http://5.42.96.7/cost/go.exe68vAvira URL Cloud: Label: phishing
                            Source: http://5.42.96.7/cost/go.exec.vTKAvira URL Cloud: Label: phishing
                            Multi AV Scanner detection for domain / URL
                            Source: http://5.42.96.7/cost/go.exeVirustotal: Detection: 18%Perma Link
                            Source: http://147.45.47.102:57893/hera/amadka.exeeVirustotal: Detection: 16%Perma Link
                            Source: http://5.42.96.7/cost/lenin.exeVirustotal: Detection: 19%Perma Link
                            Multi AV Scanner detection for dropped file
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 47%
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeVirustotal: Detection: 58%Perma Link
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 47%
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeVirustotal: Detection: 58%Perma Link
                            Multi AV Scanner detection for submitted file
                            Source: file.exeReversingLabs: Detection: 47%
                            Source: file.exeVirustotal: Detection: 58%Perma Link
                            Machine Learning detection for dropped file
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: file.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C76A80 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FC6A80 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FC6A80 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,
                            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49732 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49733 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49734 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49735 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49737 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49738 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49740 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49741 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49752 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49753 version: TLS 1.2

                            Spreading

                            barindex
                            Yara detected PrivateLoader
                            Source: Yara matchFile source: 3.2.MPGPH131.exe.f00000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.MPGPH131.exe.f00000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.bb0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.RageMP131.exe.b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 7.2.RageMP131.exe.b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000006.00000002.2039072826.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2015608699.0000000000BB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2026784616.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000010.00000002.1922715500.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000007.00000002.1858273700.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C966F0 CreateDirectoryA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C43EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE1F9C FindClose,FindFirstFileExW,GetLastError,
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C75F80 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE2022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C43850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FE66F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F93EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FDFE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F31F9C FindClose,FindFirstFileExW,GetLastError,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FC5F80 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F32022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F93850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FE66F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F93EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FDFE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F31F9C FindClose,FindFirstFileExW,GetLastError,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FC5F80 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F32022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F93850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_a2f39f18c7bab85a936641112cf4d8a65518de_de9be973_94773830-acbf-49ed-a888-c6bd52737c00\
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_f72aa47e83387be13decffad958dd6df2948b_3ea92c58_dec5365b-211a-4509-a3ee-25eef0619427\

                            Networking

                            barindex
                            Snort IDS alert for network traffic
                            Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49730 -> 147.45.47.126:58709
                            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.126:58709 -> 192.168.2.4:49730
                            Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.126:58709 -> 192.168.2.4:49730
                            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.126:58709 -> 192.168.2.4:49731
                            Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.126:58709 -> 192.168.2.4:49731
                            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.126:58709 -> 192.168.2.4:49736
                            Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.126:58709 -> 192.168.2.4:49736
                            Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49730 -> 147.45.47.126:58709
                            Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49731 -> 147.45.47.126:58709
                            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.126:58709 -> 192.168.2.4:49739
                            Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49736 -> 147.45.47.126:58709
                            Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49739 -> 147.45.47.126:58709
                            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.126:58709 -> 192.168.2.4:49751
                            Yara detected PrivateLoader
                            Source: Yara matchFile source: 3.2.MPGPH131.exe.f00000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.MPGPH131.exe.f00000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.bb0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.RageMP131.exe.b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 7.2.RageMP131.exe.b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000006.00000002.2039072826.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2015608699.0000000000BB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2026784616.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000010.00000002.1922715500.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000007.00000002.1858273700.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                            Connects to many ports of the same IP (likely port scanning)
                            Source: global trafficTCP traffic: 147.45.47.126 ports 0,5,7,8,58709,9
                            Source: global trafficTCP traffic: 192.168.2.4:49730 -> 147.45.47.126:58709
                            Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                            Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
                            Source: Joe Sandbox ViewIP Address: 147.45.47.126 147.45.47.126
                            Source: Joe Sandbox ViewIP Address: 104.26.5.15 104.26.5.15
                            Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
                            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                            Source: unknownDNS query: name: ipinfo.io
                            Source: unknownDNS query: name: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.60.11 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.60.11 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                            Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.60.11 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.60.11 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                            Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.60.11 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.60.11 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                            Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.60.11 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.60.11 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                            Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.60.11 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.60.11 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.47.126
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C78510 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,FreeAddrInfoW,WSACleanup,FreeAddrInfoW,
                            Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.60.11 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.60.11 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                            Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.60.11 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.60.11 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                            Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.60.11 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.60.11 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                            Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.60.11 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.60.11 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                            Source: global trafficHTTP traffic detected: GET /widget/demo/81.181.60.11 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
                            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=81.181.60.11 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
                            Source: global trafficDNS traffic detected: DNS query: ipinfo.io
                            Source: global trafficDNS traffic detected: DNS query: db-ip.com
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
                            Source: MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://147.45.47.102:57893/hera/amadka.exee
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2025872612.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1732443446.0000000000B13000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.96.7/cost/go.exe
                            Source: MPGPH131.exe, 00000003.00000003.1732443446.0000000000B13000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.96.7/cost/go.exe-Q
                            Source: MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.96.7/cost/go.exe68v
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.96.7/cost/go.exeOw
                            Source: MPGPH131.exe, 00000003.00000002.2025872612.0000000000A97000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.96.7/cost/go.exec.vTK
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2025872612.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1732508963.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.96.7/cost/lenin.exe
                            Source: MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.96.7/cost/lenin.exe9
                            Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.drString found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
                            Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.drString found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
                            Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.drString found in binary or memory: http://pki-ocsp.symauth.com0
                            Source: Amcache.hve.10.drString found in binary or memory: http://upx.sf.net
                            Source: file.exe, 00000000.00000002.2015608699.0000000000BB1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026784616.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039072826.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858273700.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922715500.0000000000B81000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
                            Source: file.exe, 00000000.00000003.1716313651.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710776395.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710166201.0000000001969000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728367367.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1721151906.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1722946740.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1743890646.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1746218727.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744801901.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, 19u7ECnptzzlWeb Data.3.dr, sYcixjslgY3sWeb Data.3.dr, v8KCsYORX8h7Web Data.6.dr, SBUYXJCvH4fCWeb Data.6.dr, M4EU2Y_AAhWdWeb Data.0.dr, IdCNLqBK5BIzWeb Data.0.dr, B087runuAKfxWeb Data.3.dr, fp5Zfw4ryWNTWeb Data.6.dr, ad9xHU1sHgxoWeb Data.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                            Source: file.exe, 00000000.00000003.1716313651.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710776395.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710166201.0000000001969000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728367367.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1721151906.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1722946740.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1743890646.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1746218727.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744801901.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, 19u7ECnptzzlWeb Data.3.dr, sYcixjslgY3sWeb Data.3.dr, v8KCsYORX8h7Web Data.6.dr, SBUYXJCvH4fCWeb Data.6.dr, M4EU2Y_AAhWdWeb Data.0.dr, IdCNLqBK5BIzWeb Data.0.dr, B087runuAKfxWeb Data.3.dr, fp5Zfw4ryWNTWeb Data.6.dr, ad9xHU1sHgxoWeb Data.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                            Source: file.exe, 00000000.00000003.1716313651.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710776395.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710166201.0000000001969000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728367367.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1721151906.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1722946740.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1743890646.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1746218727.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744801901.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, 19u7ECnptzzlWeb Data.3.dr, sYcixjslgY3sWeb Data.3.dr, v8KCsYORX8h7Web Data.6.dr, SBUYXJCvH4fCWeb Data.6.dr, M4EU2Y_AAhWdWeb Data.0.dr, IdCNLqBK5BIzWeb Data.0.dr, B087runuAKfxWeb Data.3.dr, fp5Zfw4ryWNTWeb Data.6.dr, ad9xHU1sHgxoWeb Data.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                            Source: file.exe, 00000000.00000003.1716313651.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710776395.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710166201.0000000001969000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728367367.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1721151906.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1722946740.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1743890646.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1746218727.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744801901.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, 19u7ECnptzzlWeb Data.3.dr, sYcixjslgY3sWeb Data.3.dr, v8KCsYORX8h7Web Data.6.dr, SBUYXJCvH4fCWeb Data.6.dr, M4EU2Y_AAhWdWeb Data.0.dr, IdCNLqBK5BIzWeb Data.0.dr, B087runuAKfxWeb Data.3.dr, fp5Zfw4ryWNTWeb Data.6.dr, ad9xHU1sHgxoWeb Data.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                            Source: RageMP131.exe, 00000010.00000002.1923638646.0000000001E52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/
                            Source: MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/$
                            Source: RageMP131.exe, 00000007.00000002.1860003905.0000000001B5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/O
                            Source: RageMP131.exe, 00000010.00000002.1923638646.0000000001E52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.60.11
                            Source: RageMP131.exe, 00000007.00000002.1860003905.0000000001B5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.60.111
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.60.117
                            Source: MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.60.1196
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.60.11G
                            Source: MPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.60.11SRL
                            Source: MPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.60.11Z
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2038444283.0000000000857000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923638646.0000000001DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.60.11
                            Source: RageMP131.exe, 00000007.00000002.1860003905.0000000001ADC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.60.11&OLa
                            Source: file.exe, 00000000.00000003.1716313651.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710776395.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710166201.0000000001969000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728367367.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1721151906.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1722946740.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1743890646.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1746218727.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744801901.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, 19u7ECnptzzlWeb Data.3.dr, sYcixjslgY3sWeb Data.3.dr, v8KCsYORX8h7Web Data.6.dr, SBUYXJCvH4fCWeb Data.6.dr, M4EU2Y_AAhWdWeb Data.0.dr, IdCNLqBK5BIzWeb Data.0.dr, B087runuAKfxWeb Data.3.dr, fp5Zfw4ryWNTWeb Data.6.dr, ad9xHU1sHgxoWeb Data.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                            Source: file.exe, 00000000.00000003.1716313651.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710776395.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710166201.0000000001969000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728367367.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1721151906.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1722946740.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1743890646.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1746218727.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744801901.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, 19u7ECnptzzlWeb Data.3.dr, sYcixjslgY3sWeb Data.3.dr, v8KCsYORX8h7Web Data.6.dr, SBUYXJCvH4fCWeb Data.6.dr, M4EU2Y_AAhWdWeb Data.0.dr, IdCNLqBK5BIzWeb Data.0.dr, B087runuAKfxWeb Data.3.dr, fp5Zfw4ryWNTWeb Data.6.dr, ad9xHU1sHgxoWeb Data.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                            Source: file.exe, 00000000.00000003.1716313651.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710776395.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710166201.0000000001969000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728367367.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1721151906.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1722946740.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1743890646.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1746218727.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744801901.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, 19u7ECnptzzlWeb Data.3.dr, sYcixjslgY3sWeb Data.3.dr, v8KCsYORX8h7Web Data.6.dr, SBUYXJCvH4fCWeb Data.6.dr, M4EU2Y_AAhWdWeb Data.0.dr, IdCNLqBK5BIzWeb Data.0.dr, B087runuAKfxWeb Data.3.dr, fp5Zfw4ryWNTWeb Data.6.dr, ad9xHU1sHgxoWeb Data.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                            Source: RageMP131.exe, 00000010.00000002.1923638646.0000000001E19000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
                            Source: file.exe, 00000000.00000002.2016612734.000000000183F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/:
                            Source: file.exe, 00000000.00000002.2016612734.0000000001880000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2025872612.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1860003905.0000000001B3B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923638646.0000000001E37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
                            Source: file.exe, 00000000.00000002.2015608699.0000000000BB1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026784616.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039072826.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858273700.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922715500.0000000000B81000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
                            Source: file.exe, 00000000.00000002.2016612734.0000000001880000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2016612734.000000000183A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2025872612.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2025872612.00000000009E9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2038444283.000000000088F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1860003905.0000000001AEA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1860003905.0000000001B3B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923638646.0000000001DF0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923638646.0000000001E37000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.60.11
                            Source: MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.60.11P
                            Source: file.exe, 00000000.00000002.2016612734.000000000183A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.60.11eG
                            Source: MPGPH131.exe, 00000003.00000002.2025872612.00000000009E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/81.181.60.11m
                            Source: RageMP131.exe, 00000010.00000002.1923638646.0000000001DE7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/wv~1
                            Source: file.exe, 00000000.00000002.2016612734.0000000001880000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2025872612.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1860003905.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923638646.0000000001DB8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.60.11
                            Source: MPGPH131.exe, 00000006.00000002.2038444283.0000000000857000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.60.11o
                            Source: D87fZN3R3jFeplaces.sqlite.3.drString found in binary or memory: https://support.mozilla.org
                            Source: D87fZN3R3jFeplaces.sqlite.3.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                            Source: D87fZN3R3jFeplaces.sqlite.3.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
                            Source: file.exe, 00000000.00000003.1714129104.0000000001976000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1745984308.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744541075.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, ITZ0bicyJ58aHistory.6.dr, m78YdG3PG6psHistory.6.dr, 1_QlH4gDMSHgHistory.3.dr, 66rslgkYekRJHistory.3.dr, JRPAhKRZ9ZTqHistory.0.dr, rakgGBowKZnMHistory.0.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
                            Source: ITZ0bicyJ58aHistory.6.dr, m78YdG3PG6psHistory.6.dr, 1_QlH4gDMSHgHistory.3.dr, 66rslgkYekRJHistory.3.dr, JRPAhKRZ9ZTqHistory.0.dr, rakgGBowKZnMHistory.0.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
                            Source: file.exe, 00000000.00000003.1714129104.0000000001976000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1745984308.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744541075.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, ITZ0bicyJ58aHistory.6.dr, m78YdG3PG6psHistory.6.dr, 1_QlH4gDMSHgHistory.3.dr, 66rslgkYekRJHistory.3.dr, JRPAhKRZ9ZTqHistory.0.dr, rakgGBowKZnMHistory.0.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
                            Source: ITZ0bicyJ58aHistory.6.dr, m78YdG3PG6psHistory.6.dr, 1_QlH4gDMSHgHistory.3.dr, 66rslgkYekRJHistory.3.dr, JRPAhKRZ9ZTqHistory.0.dr, rakgGBowKZnMHistory.0.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
                            Source: RageMP131.exe, 00000007.00000002.1860003905.0000000001B5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.70
                            Source: RageMP131.exe, 00000010.00000002.1923638646.0000000001E52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.=
                            Source: MPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.j
                            Source: MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1786714219.0000000000999000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2038444283.0000000000857000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1860003905.0000000001AAE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923638646.0000000001DB8000.00000004.00000020.00020000.00000000.sdmp, OGKFocHES6dDgKTCWPSJdQR.zip.0.dr, 8klzCUsmQMVYazLTWo6KoKU.zip.3.dr, ZeTvTkc8PqqpWi0gm5JPfdt.zip.6.drString found in binary or memory: https://t.me/RiseProSUPPORT
                            Source: file.exe, 00000000.00000002.2017190533.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754759356.00000000018FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT9?
                            Source: MPGPH131.exe, 00000003.00000002.2025872612.00000000009AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTB
                            Source: file.exe, 00000000.00000002.2016612734.00000000017FE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTv
                            Source: RageMP131.exe, 00000007.00000002.1860003905.0000000001B5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro0.11
                            Source: RageMP131.exe, 00000010.00000002.1923638646.0000000001E52000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr, passwords.txt.3.dr, passwords.txt.6.drString found in binary or memory: https://t.me/risepro_bot
                            Source: RageMP131.exe, 00000007.00000002.1860003905.0000000001B5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot(
                            Source: MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot6
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1860003905.0000000001B5F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botlater
                            Source: RageMP131.exe, 00000010.00000002.1923638646.0000000001E52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botlater60.11
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botomania
                            Source: MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botomaniaJ
                            Source: MPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botrisepro
                            Source: file.exe, 00000000.00000003.1716313651.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710776395.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710166201.0000000001969000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728367367.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1721151906.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1722946740.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1743890646.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1746218727.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744801901.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, 19u7ECnptzzlWeb Data.3.dr, sYcixjslgY3sWeb Data.3.dr, v8KCsYORX8h7Web Data.6.dr, SBUYXJCvH4fCWeb Data.6.dr, M4EU2Y_AAhWdWeb Data.0.dr, IdCNLqBK5BIzWeb Data.0.dr, B087runuAKfxWeb Data.3.dr, fp5Zfw4ryWNTWeb Data.6.dr, ad9xHU1sHgxoWeb Data.0.drString found in binary or memory: https://www.ecosia.org/newtab/
                            Source: file.exe, 00000000.00000003.1716313651.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710776395.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710166201.0000000001969000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728367367.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1721151906.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1722946740.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1743890646.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1746218727.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744801901.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, 19u7ECnptzzlWeb Data.3.dr, sYcixjslgY3sWeb Data.3.dr, v8KCsYORX8h7Web Data.6.dr, SBUYXJCvH4fCWeb Data.6.dr, M4EU2Y_AAhWdWeb Data.0.dr, IdCNLqBK5BIzWeb Data.0.dr, B087runuAKfxWeb Data.3.dr, fp5Zfw4ryWNTWeb Data.6.dr, ad9xHU1sHgxoWeb Data.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                            Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                            Source: D87fZN3R3jFeplaces.sqlite.3.drString found in binary or memory: https://www.mozilla.org
                            Source: D87fZN3R3jFeplaces.sqlite.3.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
                            Source: D87fZN3R3jFeplaces.sqlite.3.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                            Source: file.exe, 00000000.00000003.1712875280.000000000194F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754759356.000000000194F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1711546182.000000000194F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710695121.000000000194F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1711020768.000000000194F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1711199028.000000000194F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710404039.000000000194F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2017190533.000000000194F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1716444393.000000000194F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1715420924.000000000194F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1716726282.000000000194F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728034265.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1729477122.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1763214228.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1724654003.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1723096796.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2026410193.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1730561392.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1726490410.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728710216.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1724276872.0000000000B05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                            Source: MPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/L
                            Source: D87fZN3R3jFeplaces.sqlite.3.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/efox/
                            Source: file.exe, 00000000.00000003.1712875280.000000000194F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754759356.000000000194F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1711546182.000000000194F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710695121.000000000194F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1711020768.000000000194F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1711199028.000000000194F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710404039.000000000194F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2017190533.000000000194F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1716444393.000000000194F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1715420924.000000000194F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1716726282.000000000194F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728034265.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1729477122.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1763214228.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1724654003.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1723096796.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2026410193.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1730561392.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1726490410.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728710216.0000000000B05000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1724276872.0000000000B05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                            Source: MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/r
                            Source: MPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/refox
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/tata
                            Source: MPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/y.jaxx
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49734 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49734
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
                            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49732 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49733 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49734 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49735 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49737 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49738 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49740 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49741 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49752 version: TLS 1.2
                            Source: unknownHTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49753 version: TLS 1.2
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FE5F70 GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,735274A0,DeleteObject,DeleteObject,ReleaseDC,

                            System Summary

                            barindex
                            PE file has nameless sections
                            Source: file.exeStatic PE information: section name:
                            Source: file.exeStatic PE information: section name:
                            Source: file.exeStatic PE information: section name:
                            Source: file.exeStatic PE information: section name:
                            Source: file.exeStatic PE information: section name:
                            Source: file.exeStatic PE information: section name:
                            Source: RageMP131.exe.0.drStatic PE information: section name:
                            Source: RageMP131.exe.0.drStatic PE information: section name:
                            Source: RageMP131.exe.0.drStatic PE information: section name:
                            Source: RageMP131.exe.0.drStatic PE information: section name:
                            Source: RageMP131.exe.0.drStatic PE information: section name:
                            Source: RageMP131.exe.0.drStatic PE information: section name:
                            Source: MPGPH131.exe.0.drStatic PE information: section name:
                            Source: MPGPH131.exe.0.drStatic PE information: section name:
                            Source: MPGPH131.exe.0.drStatic PE information: section name:
                            Source: MPGPH131.exe.0.drStatic PE information: section name:
                            Source: MPGPH131.exe.0.drStatic PE information: section name:
                            Source: MPGPH131.exe.0.drStatic PE information: section name:
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF002D
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4F050
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C5A180
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C403C0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8E3B0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4D320
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C46330
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CEF480
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C87580
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C48630
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BBB8E0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C31B90
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CAAC30
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C43EC0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C4AEE0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8FE80
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8EFB0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C43000
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE71A0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C542A0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BF036F
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BDF580
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C53590
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C34560
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF7690
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C02610
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C047BF
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C97760
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BEA928
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BEC960
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BFDA86
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C9EBA0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C9FBA0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C08BB0
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF6C50
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CE4C70
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CF5D10
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C08E30
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00CA2F30
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE107B6
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE10000
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F9F050
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F4002D
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FAA180
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F903C0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FDE3B0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F96330
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F9D320
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FD7580
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_0103F480
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F98630
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F0B8E0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F81B90
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FFAC30
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F9AEE0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F93EC0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FDFE80
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FDEFB0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F93000
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F371A0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FA42A0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F4036F
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_010485F0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FA3590
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F2F580
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F84560
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F547BF
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_01047690
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FE7760
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F3C960
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F3A928
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F4DA86
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F58BB0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FEEBA0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FEFBA0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_01045D10
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_01046C50
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_01034C70
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F58E30
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_01041E30
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FF2F30
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_7F6107B6
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_7F610000
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F9F050
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F4002D
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FAA180
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F903C0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FDE3B0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F96330
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F9D320
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FD7580
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0103F480
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F98630
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F0B8E0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F81B90
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FFAC30
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F9AEE0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F93EC0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FDFE80
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FDEFB0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F93000
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F371A0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FA42A0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F4036F
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_010485F0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FA3590
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F2F580
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F84560
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F547BF
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_01047690
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FE7760
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F3C960
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F3A928
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F4DA86
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F58BB0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FEEBA0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FEFBA0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_01045D10
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_01046C50
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_01034C70
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F58E30
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_01041E30
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FF2F30
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_7F0C07B6
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_7F0C0000
                            Source: C:\Users\user\Desktop\file.exeCode function: String function: 00BCACE0 appears 86 times
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 00F34380 appears 58 times
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 00F1ACE0 appears 172 times
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 2028
                            Source: file.exe, 00000000.00000000.1611939281.0000000000D51000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
                            Source: file.exeBinary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
                            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: file.exeStatic PE information: Section: ZLIB complexity 0.9999917380499154
                            Source: file.exeStatic PE information: Section: ZLIB complexity 0.9983345445736435
                            Source: file.exeStatic PE information: Section: ZLIB complexity 0.99658203125
                            Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9999917380499154
                            Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9983345445736435
                            Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.99658203125
                            Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9999917380499154
                            Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9983345445736435
                            Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.99658203125
                            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@14/81@2/3
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1704:120:WilError_03
                            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess744
                            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1436
                            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess648
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6880:120:WilError_03
                            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
                            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                            Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                            Source: file.exe, 00000000.00000002.2015608699.0000000000BB1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026784616.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039072826.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858273700.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922715500.0000000000B81000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                            Source: file.exe, 00000000.00000002.2015608699.0000000000BB1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026784616.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039072826.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858273700.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922715500.0000000000B81000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                            Source: file.exe, 00000000.00000003.1709892810.0000000001952000.00000004.00000020.00020000.00000000.sdmp, hxHjRwjYwPT3Login Data For Account.3.dr, mHC5xGA2ZDf7Login Data.3.dr, _2Udgx0R4lC0Login Data For Account.6.dr, TRbMB5IbyYCfLogin Data.6.dr, oUhaH1047Io5Login Data.0.dr, STqIiTxIo5J7Login Data For Account.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                            Source: file.exeReversingLabs: Detection: 47%
                            Source: file.exeVirustotal: Detection: 58%
                            Source: file.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                            Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                            Source: MPGPH131.exeString found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
                            Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                            Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
                            Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 2028
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1956
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1908
                            Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                            Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: version.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: shfolder.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: d3d11.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: dxgi.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: resourcepolicyclient.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: d3d10warp.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: dxcore.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: devobj.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: vaultcli.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dll
                            Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: version.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: shfolder.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: profapi.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: version.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: shfolder.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: uxtheme.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: windows.storage.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wldp.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: profapi.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d11.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxgi.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: resourcepolicyclient.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: kernel.appcore.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: d3d10warp.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dxcore.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: webio.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: iphlpapi.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winnsi.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dnsapi.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rasadhlp.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: fwpuclnt.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: schannel.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mskeyprotect.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncryptsslp.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: msasn1.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptsp.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rsaenh.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: cryptbase.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: gpapi.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: vaultcli.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wintypes.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntmarta.dll
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: dpapi.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: shfolder.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: version.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: shfolder.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: uxtheme.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: windows.storage.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wldp.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: profapi.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d11.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxgi.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: resourcepolicyclient.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: kernel.appcore.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: d3d10warp.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dxcore.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ondemandconnroutehelper.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: webio.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: iphlpapi.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winnsi.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: dnsapi.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rasadhlp.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: fwpuclnt.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: schannel.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mskeyprotect.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncryptsslp.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: msasn1.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptsp.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rsaenh.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: cryptbase.dll
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: gpapi.dll
                            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                            Source: file.exeStatic file information: File size 3241984 > 1048576
                            Source: file.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x22da00

                            Data Obfuscation

                            barindex
                            Detected unpacking (changes PE section rights)
                            Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.bb0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 3.2.MPGPH131.exe.f00000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 6.2.MPGPH131.exe.f00000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 7.2.RageMP131.exe.b80000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 16.2.RageMP131.exe.b80000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7F200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,
                            Source: initial sampleStatic PE information: section where entry point is pointing to: .data
                            Source: file.exeStatic PE information: section name:
                            Source: file.exeStatic PE information: section name:
                            Source: file.exeStatic PE information: section name:
                            Source: file.exeStatic PE information: section name:
                            Source: file.exeStatic PE information: section name:
                            Source: file.exeStatic PE information: section name:
                            Source: RageMP131.exe.0.drStatic PE information: section name:
                            Source: RageMP131.exe.0.drStatic PE information: section name:
                            Source: RageMP131.exe.0.drStatic PE information: section name:
                            Source: RageMP131.exe.0.drStatic PE information: section name:
                            Source: RageMP131.exe.0.drStatic PE information: section name:
                            Source: RageMP131.exe.0.drStatic PE information: section name:
                            Source: MPGPH131.exe.0.drStatic PE information: section name:
                            Source: MPGPH131.exe.0.drStatic PE information: section name:
                            Source: MPGPH131.exe.0.drStatic PE information: section name:
                            Source: MPGPH131.exe.0.drStatic PE information: section name:
                            Source: MPGPH131.exe.0.drStatic PE information: section name:
                            Source: MPGPH131.exe.0.drStatic PE information: section name:
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE3F59 push ecx; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE116E0 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE11EF0 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE11EC0 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE10ED0 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE126D0 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE10EA0 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE126A0 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE116B0 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE11680 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE11E90 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE11E60 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE10E70 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE12670 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE10E40 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE12640 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE11650 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE11620 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE11E30 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE11E00 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE10E10 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE12610 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE11FE0 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE10FF0 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE127F0 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE10FC0 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE127C0 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE117D0 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE117A0 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE11FB0 push 7EE10002h; ret
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_7EE107B6 push edi; mov dword ptr [esp], edx
                            Source: file.exeStatic PE information: section name: entropy: 7.999642093451103
                            Source: file.exeStatic PE information: section name: entropy: 7.99632844124323
                            Source: file.exeStatic PE information: section name: entropy: 7.827423983071036
                            Source: file.exeStatic PE information: section name: entropy: 7.973813310249681
                            Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.999642093451103
                            Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.99632844124323
                            Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.827423983071036
                            Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.973813310249681
                            Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.999642093451103
                            Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.99632844124323
                            Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.827423983071036
                            Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.973813310249681
                            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
                            Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
                            Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

                            Boot Survival

                            barindex
                            Uses schtasks.exe or at.exe to add and modify task schedules
                            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                            Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
                            Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                            Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Found stalling execution ending in API Sleep call
                            Source: C:\Users\user\Desktop\file.exeStalling execution: Execution stalls by calling Sleep
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeStalling execution: Execution stalls by calling Sleep
                            Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 1258
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 1099
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 538
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                            Source: C:\Users\user\Desktop\file.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
                            Source: C:\Users\user\Desktop\file.exeEvaded block: after key decision
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvaded block: after key decision
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvaded block: after key decision
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                            Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                            Source: C:\Users\user\Desktop\file.exe TID: 5812Thread sleep count: 1258 > 30
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3320Thread sleep count: 1099 > 30
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3320Thread sleep count: 42 > 30
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2228Thread sleep count: 538 > 30
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2228Thread sleep count: 47 > 30
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7240Thread sleep count: 58 > 30
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7772Thread sleep count: 251 > 30
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7772Thread sleep count: 65 > 30
                            Source: C:\Users\user\Desktop\file.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C966F0 CreateDirectoryA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C43EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE1F9C FindClose,FindFirstFileExW,GetLastError,
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C75F80 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE2022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C43850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FE66F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F93EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FDFE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F31F9C FindClose,FindFirstFileExW,GetLastError,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FC5F80 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F32022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F93850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FE66F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F93EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FDFE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F31F9C FindClose,FindFirstFileExW,GetLastError,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FC5F80 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F32022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F93850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_a2f39f18c7bab85a936641112cf4d8a65518de_de9be973_94773830-acbf-49ed-a888-c6bd52737c00\
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
                            Source: C:\Windows\SysWOW64\WerFault.exeFile opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_f72aa47e83387be13decffad958dd6df2948b_3ea92c58_dec5365b-211a-4509-a3ee-25eef0619427\
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 11 Essential Server Solutions without Hyper-V
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: #Windows 10 Microsoft Hyper-V Server
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 8.1 Microsoft Hyper-V Server
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2012 Server Standard without Hyper-V
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 8 Microsoft Hyper-V Server
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
                            Source: MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 11 Microsoft Hyper-V Server
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
                            Source: file.exe, 00000000.00000003.1723779331.0000000001976000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_AFD28CCEl
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2012 R2 Server Standard without Hyper-V
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
                            Source: Amcache.hve.10.drBinary or memory string: vmci.sys
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
                            Source: RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: vmware
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 8 Server Standard without Hyper-V
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
                            Source: MPGPH131.exe, 00000003.00000003.1660050274.0000000000A1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}*&
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
                            Source: Amcache.hve.10.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                            Source: Amcache.hve.10.drBinary or memory string: VMware PCI VMCI Bus Device
                            Source: Amcache.hve.10.drBinary or memory string: VMware Virtual RAM
                            Source: Amcache.hve.10.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: "Windows 8 Microsoft Hyper-V Server
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
                            Source: Amcache.hve.10.drBinary or memory string: VMware Virtual USB Mouse
                            Source: MPGPH131.exe, 00000006.00000002.2038444283.00000000008BA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
                            Source: RageMP131.exe, 00000010.00000002.1923638646.0000000001E0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 10 Server Standard without Hyper-V
                            Source: file.exe, 00000000.00000002.2016612734.000000000182B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000bm
                            Source: RageMP131.exe, 00000010.00000002.1923638646.0000000001E19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
                            Source: MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsokO
                            Source: Amcache.hve.10.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
                            Source: RageMP131.exe, 00000007.00000002.1860003905.0000000001B0B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000`
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 11 Server Standard without Hyper-V (core)
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Hyper-V (guest)
                            Source: Amcache.hve.10.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                            Source: MPGPH131.exe, 00000006.00000003.1681609803.00000000008C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Z
                            Source: MPGPH131.exe, 00000006.00000002.2038873583.000000000098F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_AFD28CCE
                            Source: Amcache.hve.10.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 10 Microsoft Hyper-V Server
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
                            Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin`
                            Source: Amcache.hve.10.drBinary or memory string: \driver\vmci,\driver\pci
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000011DE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000E5E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000E5E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: ~VirtualMachineTypes
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000011DE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000E5E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000E5E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: ]DLL_Loader_VirtualMachine
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2016 Microsoft Hyper-V Server
                            Source: file.exe, 00000000.00000002.2015797696.0000000000E8E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000011DE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000011DE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000E5E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000E5E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 11 Server Standard without Hyper-V
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: )Windows 8 Server Standard without Hyper-V
                            Source: MPGPH131.exe, 00000006.00000002.2038444283.00000000008AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000x
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: %Windows 2012 Microsoft Hyper-V Server
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Hyper-V
                            Source: Amcache.hve.10.drBinary or memory string: VMware
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: $Windows 8.1 Microsoft Hyper-V Server
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: ,Windows 2012 Server Standard without Hyper-V
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
                            Source: MPGPH131.exe, 00000003.00000003.1763214228.0000000000AA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}B
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2012 Microsoft Hyper-V Server
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
                            Source: RageMP131.exe, 00000010.00000002.1923638646.0000000001E0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                            Source: Amcache.hve.10.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 8 Essential Server Solutions without Hyper-V
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 10 Essential Server Solutions without Hyper-V
                            Source: file.exe, 00000000.00000002.2016612734.000000000189A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2025872612.0000000000A08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2038444283.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1860003905.0000000001B0B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1860003905.0000000001B3B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923638646.0000000001E52000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923638646.0000000001E0D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 10 Server Standard without Hyper-V (core)
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
                            Source: RageMP131.exe, 00000010.00000003.1856143509.0000000001E23000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
                            Source: Amcache.hve.10.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}0
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: %Windows 2016 Microsoft Hyper-V Server
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
                            Source: MPGPH131.exe, 00000006.00000002.2038911132.000000000099D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ta\*P
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: +Windows 8.1 Server Standard without Hyper-V
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2016 Server Standard without Hyper-V
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
                            Source: Amcache.hve.10.drBinary or memory string: VMware20,1
                            Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Generation Counter
                            Source: Amcache.hve.10.drBinary or memory string: NECVMWar VMware SATA CD00
                            Source: Amcache.hve.10.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
                            Source: Amcache.hve.10.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                            Source: Amcache.hve.10.drBinary or memory string: VMware VMCI Bus Device
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
                            Source: Amcache.hve.10.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2016 Server Standard without Hyper-V (core)
                            Source: Amcache.hve.10.drBinary or memory string: vmci.syshbin
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 8 Server Standard without Hyper-V (core)
                            Source: Amcache.hve.10.drBinary or memory string: VMware, Inc.
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
                            Source: MPGPH131.exe, 00000003.00000002.2026560826.0000000000B0A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_AFD28CCEl
                            Source: MPGPH131.exe, 00000003.00000003.1763214228.0000000000AA5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/7rrP9UK+nYJkDUaruLFsmiax3GAXC2Igj63N1koqBHsy38rIIvg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*e
                            Source: Amcache.hve.10.drBinary or memory string: VMware20,1hbin@
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
                            Source: RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: xVBoxService.exe
                            Source: Amcache.hve.10.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
                            Source: Amcache.hve.10.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: *Windows 11 Server Standard without Hyper-V
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: ,Windows 2016 Server Standard without Hyper-V
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2012 Server Standard without Hyper-V (core)
                            Source: RageMP131.exe, 00000007.00000003.1756981078.0000000001B1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}3l
                            Source: file.exe, 00000000.00000003.1723779331.0000000001976000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}p
                            Source: Amcache.hve.10.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
                            Source: MPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW$
                            Source: RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: VBoxService.exe
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 8.1 Server Standard without Hyper-V
                            Source: file.exe, 00000000.00000002.2016612734.000000000185B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWP
                            Source: Amcache.hve.10.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: *Windows 10 Server Standard without Hyper-V
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
                            Source: RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: VMWare
                            Source: Amcache.hve.10.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
                            Source: file.exe, 00000000.00000002.2016612734.000000000189A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923638646.0000000001E52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWL
                            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
                            Source: RageMP131.exe, 00000007.00000002.1860003905.0000000001AAE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
                            Source: file.exe, 00000000.00000002.2015797696.0000000000D5E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026977424.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039230531.00000000010AE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858702382.0000000000D2E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922864872.0000000000D2E000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: #Windows 11 Microsoft Hyper-V Server
                            Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformation

                            Anti Debugging

                            barindex
                            Hides threads from debuggers
                            Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebugger
                            Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebugger
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeThread information set: HideFromDebugger
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeThread information set: HideFromDebugger
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeThread information set: HideFromDebugger
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeThread information set: HideFromDebugger
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeThread information set: HideFromDebugger
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeThread information set: HideFromDebugger
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeThread information set: HideFromDebugger
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeThread information set: HideFromDebugger
                            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                            Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPort
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPort
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE8A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7F200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C76D00 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C43EC0 mov eax, dword ptr fs:[00000030h]
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FC6D00 mov eax, dword ptr fs:[00000030h]
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F93EC0 mov eax, dword ptr fs:[00000030h]
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FC6D00 mov eax, dword ptr fs:[00000030h]
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F93EC0 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C999F0 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00BE8A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F3451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00F38A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F3451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00F38A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            Contains functionality to inject threads in other processes
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C7F200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 3_2_00FCF200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00FCF200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,
                            Source: C:\Users\user\Desktop\file.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                            Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                            Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                            Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,
                            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
                            Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                            Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                            Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
                            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: EnumSystemLocalesW,
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
                            Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                            Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
                            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00C8FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,
                            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                            Source: Amcache.hve.10.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                            Source: Amcache.hve.10.drBinary or memory string: msmpeng.exe
                            Source: Amcache.hve.10.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                            Source: Amcache.hve.10.drBinary or memory string: MsMpEng.exe

                            Stealing of Sensitive Information

                            barindex
                            Yara detected PrivateLoader
                            Source: Yara matchFile source: 3.2.MPGPH131.exe.f00000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.MPGPH131.exe.f00000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.bb0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.RageMP131.exe.b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 7.2.RageMP131.exe.b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000006.00000002.2039072826.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2015608699.0000000000BB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2026784616.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000010.00000002.1922715500.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000007.00000002.1858273700.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                            Yara detected RisePro Stealer
                            Source: Yara matchFile source: 00000003.00000002.2026410193.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2017190533.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2025872612.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000003.1786714219.0000000000999000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000002.2038444283.0000000000857000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000003.1763214228.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1754759356.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 744, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 1436, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 648, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7236, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7768, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\OGKFocHES6dDgKTCWPSJdQR.zip, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\8klzCUsmQMVYazLTWo6KoKU.zip, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ZeTvTkc8PqqpWi0gm5JPfdt.zip, type: DROPPED
                            Found many strings related to Crypto-Wallets (likely being stolen)
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum\wallets
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Jaxx\Local Storage
                            Source: file.exe, 00000000.00000003.1723647121.0000000001976000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\Z
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
                            Source: file.exe, 00000000.00000003.1723647121.0000000001976000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Exodus\Z
                            Source: file.exe, 00000000.00000002.2016612734.000000000189A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.json*mh
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
                            Source: file.exe, 00000000.00000003.1721393932.0000000001960000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \Coinomi\Coinomi\wallets
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
                            Source: file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live
                            Tries to harvest and steal browser information (history, passwords, etc)
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
                            Tries to steal Mail credentials (via file / registry access)
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                            Source: C:\ProgramData\MPGPH131\MPGPH131.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
                            Source: Yara matchFile source: 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 744, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 1436, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 648, type: MEMORYSTR

                            Remote Access Functionality

                            barindex
                            Yara detected PrivateLoader
                            Source: Yara matchFile source: 3.2.MPGPH131.exe.f00000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 6.2.MPGPH131.exe.f00000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.2.file.exe.bb0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.RageMP131.exe.b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 7.2.RageMP131.exe.b80000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000006.00000002.2039072826.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2015608699.0000000000BB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2026784616.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000010.00000002.1922715500.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000007.00000002.1858273700.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
                            Yara detected RisePro Stealer
                            Source: Yara matchFile source: 00000003.00000002.2026410193.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.2017190533.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000002.2025872612.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000003.1786714219.0000000000999000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000006.00000002.2038444283.0000000000857000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000003.00000003.1763214228.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000003.1754759356.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: file.exe PID: 744, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 1436, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 648, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7236, type: MEMORYSTR
                            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7768, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\OGKFocHES6dDgKTCWPSJdQR.zip, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\8klzCUsmQMVYazLTWo6KoKU.zip, type: DROPPED
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\ZeTvTkc8PqqpWi0gm5JPfdt.zip, type: DROPPED

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
                            Native API                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		1
                            Deobfuscate/Decode Files or Information                            		1
                            OS Credential Dumping                            		2
                            System Time Discovery                            		Remote Services1
                            Archive Collected Data                            		2
                            Ingress Tool Transfer                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts2
                            Command and Scripting Interpreter                            		1
                            Scheduled Task/Job                            		11
                            Process Injection                            		3
                            Obfuscated Files or Information                            		LSASS Memory1
                            Account Discovery                            		Remote Desktop Protocol2
                            Data from Local System                            		21
                            Encrypted Channel                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts1
                            Scheduled Task/Job                            		1
                            Registry Run Keys / Startup Folder                            		1
                            Scheduled Task/Job                            		12
                            Software Packing                            		Security Account Manager3
                            File and Directory Discovery                            		SMB/Windows Admin Shares1
                            Screen Capture                            		1
                            Non-Standard Port                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                            Registry Run Keys / Startup Folder                            		1
                            DLL Side-Loading                            		NTDS35
                            System Information Discovery                            		Distributed Component Object Model1
                            Email Collection                            		2
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                            Masquerading                            		LSA Secrets1
                            Query Registry                            		SSHKeylogging13
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                            Virtualization/Sandbox Evasion                            		Cached Domain Credentials241
                            Security Software Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                            Process Injection                            		DCSync12
                            Virtualization/Sandbox Evasion                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
                            Process Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                            Application Window Discovery                            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                            System Owner/User Discovery                            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                            Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchdStripped PayloadsInput Capture1
                            System Network Configuration Discovery                            		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1440164 Sample: file.exe Startdate: 12/05/2024 Architecture: WINDOWS Score: 100 43 ipinfo.io 2->43 45 db-ip.com 2->45 53 Snort IDS alert for network traffic 2->53 55 Multi AV Scanner detection for domain / URL 2->55 57 Antivirus detection for URL or domain 2->57 59 6 other signatures 2->59 8 file.exe 1 62 2->8         started        13 MPGPH131.exe 55 2->13         started        15 RageMP131.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 47 147.45.47.126, 49730, 49731, 49736 FREE-NET-ASFREEnetEU Russian Federation 8->47 49 ipinfo.io 34.117.186.192, 443, 49732, 49734 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->49 51 db-ip.com 104.26.5.15, 443, 49733, 49735 CLOUDFLARENETUS United States 8->51 33 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->33 dropped 35 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->35 dropped 37 C:\Users\user\...\OGKFocHES6dDgKTCWPSJdQR.zip, Zip 8->37 dropped 61 Detected unpacking (changes PE section rights) 8->61 63 Tries to steal Mail credentials (via file / registry access) 8->63 65 Found many strings related to Crypto-Wallets (likely being stolen) 8->65 77 2 other signatures 8->77 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        23 WerFault.exe 8->23         started        39 C:\Users\user\...\8klzCUsmQMVYazLTWo6KoKU.zip, Zip 13->39 dropped 67 Multi AV Scanner detection for dropped file 13->67 69 Machine Learning detection for dropped file 13->69 71 Found stalling execution ending in API Sleep call 13->71 25 WerFault.exe 13->25         started        73 Hides threads from debuggers 15->73 41 C:\Users\user\...\ZeTvTkc8PqqpWi0gm5JPfdt.zip, Zip 17->41 dropped 75 Tries to harvest and steal browser information (history, passwords, etc) 17->75 27 WerFault.exe 17->27         started        file6 signatures7 process8 process9 29 conhost.exe 19->29         started        31 conhost.exe 21->31         started       

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            file.exe47%ReversingLabsWin32.Trojan.Strictor
                            file.exe59%VirustotalBrowse
                            file.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%Joe Sandbox ML
                            C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
                            C:\ProgramData\MPGPH131\MPGPH131.exe47%ReversingLabsWin32.Trojan.Strictor
                            C:\ProgramData\MPGPH131\MPGPH131.exe59%VirustotalBrowse
                            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe47%ReversingLabsWin32.Trojan.Strictor
                            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe59%VirustotalBrowse

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            http://147.45.47.102:57893/hera/amadka.exe0%URL Reputationsafe
                            http://pki-ocsp.symauth.com00%URL Reputationsafe
                            https://t.700%Avira URL Cloudsafe
                            http://5.42.96.7/cost/go.exe-Q100%Avira URL Cloudphishing
                            http://5.42.96.7/cost/lenin.exe9100%Avira URL Cloudphishing
                            http://5.42.96.7/cost/lenin.exe100%Avira URL Cloudmalware
                            https://t.j0%Avira URL Cloudsafe
                            http://5.42.96.7/cost/go.exeOw100%Avira URL Cloudphishing
                            http://5.42.96.7/cost/go.exe100%Avira URL Cloudphishing
                            http://147.45.47.102:57893/hera/amadka.exee0%Avira URL Cloudsafe
                            http://5.42.96.7/cost/go.exe68v100%Avira URL Cloudphishing
                            https://t.=0%Avira URL Cloudsafe
                            http://5.42.96.7/cost/go.exe18%VirustotalBrowse
                            http://5.42.96.7/cost/go.exec.vTK100%Avira URL Cloudphishing
                            http://147.45.47.102:57893/hera/amadka.exee16%VirustotalBrowse
                            http://5.42.96.7/cost/lenin.exe20%VirustotalBrowse

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            ipinfo.io
                            		34.117.186.192
                            		truefalse
                              		high
                              db-ip.com
                              		104.26.5.15
                              		truefalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://ipinfo.io/widget/demo/81.181.60.11false
                                  		high
                                  https://db-ip.com/demo/home.php?s=81.181.60.11false
                                    		high

                                    URLs from Memory and Binaries

                                    NameSourceMaliciousAntivirus DetectionReputation
                                    https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.1716313651.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710776395.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710166201.0000000001969000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728367367.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1721151906.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1722946740.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1743890646.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1746218727.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744801901.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, 19u7ECnptzzlWeb Data.3.dr, sYcixjslgY3sWeb Data.3.dr, v8KCsYORX8h7Web Data.6.dr, SBUYXJCvH4fCWeb Data.6.dr, M4EU2Y_AAhWdWeb Data.0.dr, IdCNLqBK5BIzWeb Data.0.dr, B087runuAKfxWeb Data.3.dr, fp5Zfw4ryWNTWeb Data.6.dr, ad9xHU1sHgxoWeb Data.0.drfalse
                                      		high
                                      https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFD87fZN3R3jFeplaces.sqlite.3.drfalse
                                        		high
                                        https://db-ip.com/$MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://t.me/RiseProSUPPORTvfile.exe, 00000000.00000002.2016612734.00000000017FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.1716313651.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710776395.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710166201.0000000001969000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728367367.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1721151906.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1722946740.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1743890646.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1746218727.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744801901.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, 19u7ECnptzzlWeb Data.3.dr, sYcixjslgY3sWeb Data.3.dr, v8KCsYORX8h7Web Data.6.dr, SBUYXJCvH4fCWeb Data.6.dr, M4EU2Y_AAhWdWeb Data.0.dr, IdCNLqBK5BIzWeb Data.0.dr, B087runuAKfxWeb Data.3.dr, fp5Zfw4ryWNTWeb Data.6.dr, ad9xHU1sHgxoWeb Data.0.drfalse
                                              		high
                                              https://db-ip.com/demo/home.php?s=81.181.60.11Gfile.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://t.jMPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://ipinfo.io:443/widget/demo/81.181.60.11file.exe, 00000000.00000002.2016612734.0000000001880000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2025872612.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1860003905.0000000001ADC000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923638646.0000000001DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://147.45.47.102:57893/hera/amadka.exefile.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.drfalse
                                                    		high
                                                    https://db-ip.com/RageMP131.exe, 00000010.00000002.1923638646.0000000001E52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://5.42.96.7/cost/go.exe-QMPGPH131.exe, 00000003.00000003.1732443446.0000000000B13000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: phishing
                                                      		unknown
                                                      https://t.me/risepro_botlater60.11RageMP131.exe, 00000010.00000002.1923638646.0000000001E52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://t.me/risepro_botomaniaJMPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://5.42.96.7/cost/lenin.exe9MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: phishing
                                                          		unknown
                                                          http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crfile.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.drfalse
                                                            		high
                                                            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.1716313651.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710776395.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710166201.0000000001969000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728367367.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1721151906.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1722946740.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1743890646.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1746218727.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744801901.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, 19u7ECnptzzlWeb Data.3.dr, sYcixjslgY3sWeb Data.3.dr, v8KCsYORX8h7Web Data.6.dr, SBUYXJCvH4fCWeb Data.6.dr, M4EU2Y_AAhWdWeb Data.0.dr, IdCNLqBK5BIzWeb Data.0.dr, B087runuAKfxWeb Data.3.dr, fp5Zfw4ryWNTWeb Data.6.dr, ad9xHU1sHgxoWeb Data.0.drfalse
                                                              		high
                                                              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17file.exe, 00000000.00000003.1714129104.0000000001976000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1745984308.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744541075.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, ITZ0bicyJ58aHistory.6.dr, m78YdG3PG6psHistory.6.dr, 1_QlH4gDMSHgHistory.3.dr, 66rslgkYekRJHistory.3.dr, JRPAhKRZ9ZTqHistory.0.dr, rakgGBowKZnMHistory.0.drfalse
                                                                		high
                                                                https://ipinfo.io/widget/demo/81.181.60.11mMPGPH131.exe, 00000003.00000002.2025872612.00000000009E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://db-ip.com/demo/home.php?s=81.181.60.11ZMPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://5.42.96.7/cost/lenin.exefile.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2025872612.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1732508963.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • 20%, Virustotal, Browse
                                                                    • Avira URL Cloud: malware
                                                                    		unknown
                                                                    https://db-ip.com:443/demo/home.php?s=81.181.60.11file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2038444283.0000000000857000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923638646.0000000001DB8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://t.me/risepro_bot(RageMP131.exe, 00000007.00000002.1860003905.0000000001B5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallITZ0bicyJ58aHistory.6.dr, m78YdG3PG6psHistory.6.dr, 1_QlH4gDMSHgHistory.3.dr, 66rslgkYekRJHistory.3.dr, JRPAhKRZ9ZTqHistory.0.dr, rakgGBowKZnMHistory.0.drfalse
                                                                          		high
                                                                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.1716313651.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710776395.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710166201.0000000001969000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728367367.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1721151906.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1722946740.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1743890646.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1746218727.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744801901.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, 19u7ECnptzzlWeb Data.3.dr, sYcixjslgY3sWeb Data.3.dr, v8KCsYORX8h7Web Data.6.dr, SBUYXJCvH4fCWeb Data.6.dr, M4EU2Y_AAhWdWeb Data.0.dr, IdCNLqBK5BIzWeb Data.0.dr, B087runuAKfxWeb Data.3.dr, fp5Zfw4ryWNTWeb Data.6.dr, ad9xHU1sHgxoWeb Data.0.drfalse
                                                                            		high
                                                                            https://t.me/risepro_bot6MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://db-ip.com/demo/home.php?s=81.181.60.11SRLMPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://t.70RageMP131.exe, 00000007.00000002.1860003905.0000000001B5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		low
                                                                                https://db-ip.com/ORageMP131.exe, 00000007.00000002.1860003905.0000000001B5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://t.me/RiseProSUPPORTBMPGPH131.exe, 00000003.00000002.2025872612.00000000009AD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://t.me/risepro_botriseproMPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://t.me/RiseProSUPPORT9?file.exe, 00000000.00000002.2017190533.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1754759356.00000000018FE000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        http://5.42.96.7/cost/go.exefile.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2025872612.0000000000A97000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1732443446.0000000000B13000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        • 18%, Virustotal, Browse
                                                                                        • Avira URL Cloud: phishing
                                                                                        		unknown
                                                                                        https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.1716313651.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710776395.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710166201.0000000001969000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728367367.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1721151906.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1722946740.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1743890646.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1746218727.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744801901.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, 19u7ECnptzzlWeb Data.3.dr, sYcixjslgY3sWeb Data.3.dr, v8KCsYORX8h7Web Data.6.dr, SBUYXJCvH4fCWeb Data.6.dr, M4EU2Y_AAhWdWeb Data.0.dr, IdCNLqBK5BIzWeb Data.0.dr, B087runuAKfxWeb Data.3.dr, fp5Zfw4ryWNTWeb Data.6.dr, ad9xHU1sHgxoWeb Data.0.drfalse
                                                                                          		high
                                                                                          https://db-ip.com:443/demo/home.php?s=81.181.60.11&OLaRageMP131.exe, 00000007.00000002.1860003905.0000000001ADC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://5.42.96.7/cost/go.exeOwfile.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • Avira URL Cloud: phishing
                                                                                            		unknown
                                                                                            http://147.45.47.102:57893/hera/amadka.exeeMPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            • 16%, Virustotal, Browse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllfile.exe, 00000000.00000002.2015608699.0000000000BB1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026784616.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039072826.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858273700.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922715500.0000000000B81000.00000040.00000001.01000000.00000006.sdmpfalse
                                                                                              		high
                                                                                              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.1716313651.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710776395.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710166201.0000000001969000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728367367.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1721151906.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1722946740.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1743890646.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1746218727.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744801901.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, 19u7ECnptzzlWeb Data.3.dr, sYcixjslgY3sWeb Data.3.dr, v8KCsYORX8h7Web Data.6.dr, SBUYXJCvH4fCWeb Data.6.dr, M4EU2Y_AAhWdWeb Data.0.dr, IdCNLqBK5BIzWeb Data.0.dr, B087runuAKfxWeb Data.3.dr, fp5Zfw4ryWNTWeb Data.6.dr, ad9xHU1sHgxoWeb Data.0.drfalse
                                                                                                		high
                                                                                                http://5.42.96.7/cost/go.exe68vMPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                • Avira URL Cloud: phishing
                                                                                                		unknown
                                                                                                http://upx.sf.netAmcache.hve.10.drfalse
                                                                                                  		high
                                                                                                  https://t.me/RiseProSUPPORTMPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1786714219.0000000000999000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2038444283.0000000000857000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1860003905.0000000001AAE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923638646.0000000001DB8000.00000004.00000020.00020000.00000000.sdmp, OGKFocHES6dDgKTCWPSJdQR.zip.0.dr, 8klzCUsmQMVYazLTWo6KoKU.zip.3.dr, ZeTvTkc8PqqpWi0gm5JPfdt.zip.6.drfalse
                                                                                                    		high
                                                                                                    https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016file.exe, 00000000.00000003.1714129104.0000000001976000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1745984308.00000000009C4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744541075.00000000009B2000.00000004.00000020.00020000.00000000.sdmp, ITZ0bicyJ58aHistory.6.dr, m78YdG3PG6psHistory.6.dr, 1_QlH4gDMSHgHistory.3.dr, 66rslgkYekRJHistory.3.dr, JRPAhKRZ9ZTqHistory.0.dr, rakgGBowKZnMHistory.0.drfalse
                                                                                                      		high
                                                                                                      https://db-ip.com/demo/home.php?s=81.181.60.1196MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.ecosia.org/newtab/file.exe, 00000000.00000003.1716313651.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710776395.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710166201.0000000001969000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728367367.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1721151906.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1722946740.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1743890646.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1746218727.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744801901.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, 19u7ECnptzzlWeb Data.3.dr, sYcixjslgY3sWeb Data.3.dr, v8KCsYORX8h7Web Data.6.dr, SBUYXJCvH4fCWeb Data.6.dr, M4EU2Y_AAhWdWeb Data.0.dr, IdCNLqBK5BIzWeb Data.0.dr, B087runuAKfxWeb Data.3.dr, fp5Zfw4ryWNTWeb Data.6.dr, ad9xHU1sHgxoWeb Data.0.drfalse
                                                                                                          		high
                                                                                                          https://ipinfo.io/Mozilla/5.0file.exe, 00000000.00000002.2016612734.0000000001880000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2025872612.0000000000A30000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1860003905.0000000001B3B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000010.00000002.1923638646.0000000001E37000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brD87fZN3R3jFeplaces.sqlite.3.drfalse
                                                                                                              		high
                                                                                                              https://t.=RageMP131.exe, 00000010.00000002.1923638646.0000000001E52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		low
                                                                                                              https://t.me/risepro0.11RageMP131.exe, 00000007.00000002.1860003905.0000000001B5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://ipinfo.io/wv~1RageMP131.exe, 00000010.00000002.1923638646.0000000001DE7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://ipinfo.io/widget/demo/81.181.60.11eGfile.exe, 00000000.00000002.2016612734.000000000183A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://t.me/risepro_botomaniafile.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.1716313651.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710776395.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710166201.0000000001969000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728367367.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1721151906.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1722946740.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1743890646.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1746218727.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744801901.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, 19u7ECnptzzlWeb Data.3.dr, sYcixjslgY3sWeb Data.3.dr, v8KCsYORX8h7Web Data.6.dr, SBUYXJCvH4fCWeb Data.6.dr, M4EU2Y_AAhWdWeb Data.0.dr, IdCNLqBK5BIzWeb Data.0.dr, B087runuAKfxWeb Data.3.dr, fp5Zfw4ryWNTWeb Data.6.dr, ad9xHU1sHgxoWeb Data.0.drfalse
                                                                                                                        		high
                                                                                                                        https://t.me/risepro_botRageMP131.exe, 00000010.00000002.1923638646.0000000001E52000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr, passwords.txt.3.dr, passwords.txt.6.drfalse
                                                                                                                          		high
                                                                                                                          https://ipinfo.io/:file.exe, 00000000.00000002.2016612734.000000000183F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            https://t.me/risepro_botlaterfile.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000002.2025872612.0000000000A4C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.1860003905.0000000001B5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://db-ip.com/demo/home.php?s=81.181.60.111RageMP131.exe, 00000007.00000002.1860003905.0000000001B5F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://ipinfo.io/RageMP131.exe, 00000010.00000002.1923638646.0000000001E19000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://pki-ocsp.symauth.com0file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.drfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://ipinfo.io:443/widget/demo/81.181.60.11oMPGPH131.exe, 00000006.00000002.2038444283.0000000000857000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://www.maxmind.com/en/locate-my-ip-addressMPGPH131.exefalse
                                                                                                                                      		high
                                                                                                                                      http://www.winimage.com/zLibDllfile.exe, 00000000.00000002.2015608699.0000000000BB1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000003.00000002.2026784616.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2039072826.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.1858273700.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000010.00000002.1922715500.0000000000B81000.00000040.00000001.01000000.00000006.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://support.mozilla.orgD87fZN3R3jFeplaces.sqlite.3.drfalse
                                                                                                                                          		high
                                                                                                                                          https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesITZ0bicyJ58aHistory.6.dr, m78YdG3PG6psHistory.6.dr, 1_QlH4gDMSHgHistory.3.dr, 66rslgkYekRJHistory.3.dr, JRPAhKRZ9ZTqHistory.0.dr, rakgGBowKZnMHistory.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://db-ip.com/demo/home.php?s=81.181.60.117file.exe, 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.1716313651.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710776395.0000000001988000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1710166201.0000000001969000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1728367367.0000000000B44000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1721151906.0000000000B1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000003.00000003.1722946740.0000000000B3D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1743890646.00000000009A5000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1746218727.00000000009D6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.1744801901.00000000009D3000.00000004.00000020.00020000.00000000.sdmp, 19u7ECnptzzlWeb Data.3.dr, sYcixjslgY3sWeb Data.3.dr, v8KCsYORX8h7Web Data.6.dr, SBUYXJCvH4fCWeb Data.6.dr, M4EU2Y_AAhWdWeb Data.0.dr, IdCNLqBK5BIzWeb Data.0.dr, B087runuAKfxWeb Data.3.dr, fp5Zfw4ryWNTWeb Data.6.dr, ad9xHU1sHgxoWeb Data.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://ipinfo.io/widget/demo/81.181.60.11PMPGPH131.exe, 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://5.42.96.7/cost/go.exec.vTKMPGPH131.exe, 00000003.00000002.2025872612.0000000000A97000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: phishing
                                                                                                                                                  		unknown

                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public IPs

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  34.117.186.192
                                                                                                                                                  		ipinfo.ioUnited States
                                                                                                                                                  		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                                                                                                                                                  147.45.47.126
                                                                                                                                                  		unknownRussian Federation
                                                                                                                                                  		2895FREE-NET-ASFREEnetEUtrue
                                                                                                                                                  104.26.5.15
                                                                                                                                                  		db-ip.comUnited States
                                                                                                                                                  		13335CLOUDFLARENETUSfalse

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                                  Analysis ID:1440164
                                                                                                                                                  Start date and time:2024-05-12 12:02:08 +02:00
                                                                                                                                                  Joe Sandbox product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 9m 12s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:light
                                                                                                                                                  Cookbook file name:default.jbs
                                                                                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                  Number of analysed new started processes analysed:20
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Sample name:file.exe
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal100.troj.spyw.evad.winEXE@14/81@2/3
                                                                                                                                                  EGA Information:
                                                                                                                                                  • Successful, ratio: 100%
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 58%
                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Found application associated with file extension: .exe

                                                                                                                                                  Warnings

                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                                                                                                                                  • TCP Packets have been reduced to 100
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 20.42.73.29
                                                                                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  11:02:53AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                  11:02:54Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  11:02:56Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  11:03:02AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                  12:03:31API Interceptor3x Sleep call for process: WerFault.exe modified

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  No context

                                                                                                                                                  Domains

                                                                                                                                                  No context

                                                                                                                                                  ASNs

                                                                                                                                                  No context

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  No context

                                                                                                                                                  Created / dropped Files

                                                                                                                                                  C:\ProgramData\MPGPH131\MPGPH131.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):3241984
                                                                                                                                                  Entropy (8bit):7.9780906837515655
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:98304:0y5rnbPr5he+zDgy3yQ7rDnI19mQxWaF67:0ADbPDQyCErDI19mQxvF6
                                                                                                                                                  MD5:72007357BEB74FEA20E7DAA285212B16
                                                                                                                                                  SHA1:E37F50ACE578FC3A69FB7A312A659D51491E32B0
                                                                                                                                                  SHA-256:6A1BDA6FA37B02776B44C80FC1D8329BD7FBD49FF46EAF37346E5C436A52EC9E
                                                                                                                                                  SHA-512:72A731A1F9DFA6E927665BB5649420A1114FECAAC6E7E30CCDA9028F37C1E6DE582E0F237F5A95CD012603B916C19AA31582729FCBC3D86DB4A2C4B96D6ACC4E
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 47%
                                                                                                                                                  • Antivirus: Virustotal, Detection: 59%, Browse
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L...jR;f...............'.............C............@..........................`............@... .. .... .. ..........P.......p...............................0........................................................................................................<..................@........................@..............@............P...P.......B..............@........................J..............@................p...b...J..............@....rsrc...............................@..@..........y......(...v..............@....data.....".......".................@...................................................................................................................................................

                                                                                                                                                  C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):26
                                                                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:high, very likely benign file
                                                                                                                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_a2f39f18c7bab85a936641112cf4d8a65518de_de9be973_9436b2ab-098a-4a19-b205-1dc59dcf74a1\Report.wer

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):65536
                                                                                                                                                  Entropy (8bit):1.0848730846464338
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:2WCla+zq8Dz0N/76G6E6jjTZrlyLB+EzuiFeZ24IO826t:EvqegN/76ZjNEzuiFeY4IO8p
                                                                                                                                                  MD5:6D1CA6FA7CC5E11C779DA8505F7044BD
                                                                                                                                                  SHA1:DE94057A574DABD506916FBB4C49D5FCFF0018C6
                                                                                                                                                  SHA-256:352D053BA30FCF1B708AA89BD0DD4FD34A7704E4F39C8ED778D1A443E530BE03
                                                                                                                                                  SHA-512:A363F190E06828BE801742C6125DBFEF59F5FDC6C9414A6279779483BBC4861FC478B5335641F90FBAC785792137FB02C37D2446859088CA1B3EE061B10C2F34
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.9.8.1.7.9.0.8.0.8.2.9.9.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.9.8.1.7.9.2.0.2.7.0.5.5.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.3.6.b.2.a.b.-.0.9.8.a.-.4.a.1.9.-.b.2.0.5.-.1.d.c.5.9.d.c.f.7.4.a.1.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.1.d.3.0.9.3.3.-.0.8.1.c.-.4.f.a.3.-.a.4.c.3.-.9.c.0.b.8.3.d.8.5.3.2.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.r.o.s.s.D.e.v.i.c.e.S.e.t.t.i.n.g.s.H.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.8.8.-.0.0.0.1.-.0.0.1.4.-.4.9.3.4.-.d.5.8.f.5.3.a.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.6.7.a.b.c.f.8.d.6.c.2.5.2.9.7.e.d.9.7.2.3.e.f.1.6.c.3.8.f.3.6.0.0.0.0.0.9.1.0.!.0.0.0.0.e.3.7.f.5.0.a.c.e.5.7.8.f.c.3.a.6.9.f.b.7.a.

                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_a2f39f18c7bab85a936641112cf4d8a65518de_de9be973_94773830-acbf-49ed-a888-c6bd52737c00\Report.wer

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):65536
                                                                                                                                                  Entropy (8bit):1.0915295450278297
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:Y0lS+zD8Dz0N/76G6E6jjYZrSruBF9zuiFeZ24IO826t:rXDegN/76ZjC9zuiFeY4IO8p
                                                                                                                                                  MD5:A8D137DE10693B8D60435C79C4D1BE12
                                                                                                                                                  SHA1:061332B6D6A678E83FCB112ED21AD2DA85333C4F
                                                                                                                                                  SHA-256:9F7EC3A17FD18745DDB3663C88AC5E3A1B3678763F73266EABD27A608462A916
                                                                                                                                                  SHA-512:1B8AAAF7CEEB792D3187FCCE4C2776DD7BDBF08439380D6F1726896BCD7CD255BDAB784BC2CFA25C0475D23AEA0D9727E400DAFFD3A5F9FD971E50FB3EE86D25
                                                                                                                                                  Malicious:false
                                                                                                                                                  Reputation:low
                                                                                                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.9.8.1.7.9.0.8.4.4.4.8.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.9.8.1.7.9.2.1.5.6.9.8.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.4.7.7.3.8.3.0.-.a.c.b.f.-.4.9.e.d.-.a.8.8.8.-.c.6.b.d.5.2.7.3.7.c.0.0.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.c.2.5.4.b.9.5.-.6.3.5.5.-.4.2.3.2.-.a.a.f.1.-.1.2.c.8.7.5.b.7.d.2.7.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.r.o.s.s.D.e.v.i.c.e.S.e.t.t.i.n.g.s.H.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.9.c.-.0.0.0.1.-.0.0.1.4.-.7.0.9.1.-.8.b.8.e.5.3.a.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.6.7.a.b.c.f.8.d.6.c.2.5.2.9.7.e.d.9.7.2.3.e.f.1.6.c.3.8.f.3.6.0.0.0.0.0.9.1.0.!.0.0.0.0.e.3.7.f.5.0.a.c.e.5.7.8.f.c.3.a.6.9.f.b.7.a.

                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_f72aa47e83387be13decffad958dd6df2948b_3ea92c58_dec5365b-211a-4509-a3ee-25eef0619427\Report.wer

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):65536
                                                                                                                                                  Entropy (8bit):1.0841666276870021
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:bvgvBKhvkgPXF07VDliI3jYZrSruVzfzuiFeZ24IO8iB:Wakgvm7VDlBjAfzuiFeY4IO8S
                                                                                                                                                  MD5:6A3C0263B0FE85DDC8D460E4041DF5F9
                                                                                                                                                  SHA1:BE5C14905183120605A91410F6B4C31DDA4D60E9
                                                                                                                                                  SHA-256:088908B7FAA974FA06F2E0410AE67A43B04DD1F3D061A879F557EF328DA98C6A
                                                                                                                                                  SHA-512:B30A8EFB194BFEC3C20419079A95F9AD0C33C9C82D352C628E33193200D32D5474593CEF0BC75D5940793CB34E89618AC3824D2BB7330FB88D6C38790679A360
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.9.8.1.7.8.9.4.6.8.4.5.7.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.9.8.1.7.9.1.2.6.5.3.3.1.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.e.c.5.3.6.5.b.-.2.1.1.a.-.4.5.0.9.-.a.3.e.e.-.2.5.e.e.f.0.6.1.9.4.2.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.9.7.d.7.3.f.6.-.2.b.a.f.-.4.3.2.a.-.8.e.0.a.-.2.b.4.4.f.2.e.7.f.f.8.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.r.o.s.s.D.e.v.i.c.e.S.e.t.t.i.n.g.s.H.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.e.8.-.0.0.0.1.-.0.0.1.4.-.5.f.f.4.-.2.b.8.d.5.3.a.4.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.6.7.a.b.c.f.8.d.6.c.2.5.2.9.7.e.d.9.7.2.3.e.f.1.6.c.3.8.f.3.6.0.0.0.0.0.9.1.0.!.0.0.0.0.e.3.7.f.5.0.a.c.e.5.7.8.f.c.3.a.6.9.f.b.7.a.3.1.2.a.

                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C00.tmp.dmp

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  File Type:Mini DuMP crash report, 15 streams, Sun May 12 10:03:10 2024, 0x1205a4 type
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):129498
                                                                                                                                                  Entropy (8bit):1.857568066610471
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:384:zJhmAX51ue6EYq0smQweS/B3fO8VRpDw+4sIG5/jJ2DmQbBKZB:z7XTue6xxNQ03hFD14vGNF2awBI
                                                                                                                                                  MD5:78FDFD9D8DF6405323D119C96499AB31
                                                                                                                                                  SHA1:24D77575C66015C624FC7ED0BE3C27A4AC1483EF
                                                                                                                                                  SHA-256:9ED05429DB89E116C8DCE0AD108FFEC1CEB54A56C6E5C24BA641A01139155FB1
                                                                                                                                                  SHA-512:CBB508564D8F845A86FA5CCDC36A52060259C7EE3DC9C9FA544E83252530292B2FF554E6CF6DDD93541623A1500DE89042B44B6E70C94D5383BEEB8CA72E81CF
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:MDMP..a..... ........@f............D...........H...X.......l....%......$....U..........`.......8...........T............N..............&...........'..............................................................................eJ.......(......GenuineIntel............T............@f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F9B.tmp.WERInternalMetadata.xml

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):8372
                                                                                                                                                  Entropy (8bit):3.6943459612633713
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:R6l7wVeJFCy6T6Y9kSUS67gmfBhJJQprF89bjdsfBhm:R6lXJl6T6YOSUS67gmf3JJnjWfW
                                                                                                                                                  MD5:7D9C49C01B0E7F6CD914C73C79C35E37
                                                                                                                                                  SHA1:1F8AD420E11DF4B79406189ABB4895F4DE7592D2
                                                                                                                                                  SHA-256:72F406A1B198CA18B745881F89AA535F766342AE5C3B2F73728A948CC11BD68F
                                                                                                                                                  SHA-512:219B28B62618AED952260CA62A614EB451862DEBB033344EDA7A17A473D0E7667922BF3BD4695AEB633194127E152DC12F51C4E7DDCF34A06CFC8B2F69E87A11
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.4.<./.P.i.d.

                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER2019.tmp.xml

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):4693
                                                                                                                                                  Entropy (8bit):4.497637899098605
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:cvIwWl8zsdJg77aI9tCWpW8VYoYm8M4JGwhfFKz+q8khs+1qVyxoYafd:uIjf3I7rD7VYJWzvggxoY8d
                                                                                                                                                  MD5:4F6E15A022B6829FDA98E3475E2F8347
                                                                                                                                                  SHA1:5426BF9ADD7A9C04BA4C86D3E4FE5FA7C9B64D2E
                                                                                                                                                  SHA-256:EE4888A8318A68A61A49A26E10A2535CBCE6007BE4CA13ABB8F7FA4FE9306A7B
                                                                                                                                                  SHA-512:34A801720D56EB0B8B0931BA8BF4776BF76EADD675DDEF571855D00D74AEED803A56C2554F58AA3AB30830247F3C9350DD10659C93D4C50E963DA35D9DA2D91C
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="319745" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER20C3.tmp.dmp

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  File Type:Mini DuMP crash report, 15 streams, Sun May 12 10:03:11 2024, 0x1205a4 type
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):132270
                                                                                                                                                  Entropy (8bit):1.8059476559714567
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:384:9wJ2rVqyDXAXxLSe6iv0z9+P0pyFw5n63IT3hGc8nwLgNQF2y4HegkCahW0:9ZrV3QXZSe6FzXpT03IbBCNQF49aJ
                                                                                                                                                  MD5:D433322A8EFE15733AD3C40B15A49753
                                                                                                                                                  SHA1:6DC2992CAF5EB1DDCCFE000BD2335C64A063120A
                                                                                                                                                  SHA-256:34D540EE2D778BA0BF0CA7075612055484AD8169F6F65622F2ADB6BB8CCE5F1E
                                                                                                                                                  SHA-512:90EE2BA9F3BAF8A53608C48B5253AF34090FA588412781A0292E963909E95529A06CD8B5E5E9ED565D0748E93EA16A6E05BD4CB2338684E6F66EAEFDB442358F
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:MDMP..a..... ........@f............D...............X.......l...4%...........T..........`.......8...........T............L...............%...........'..............................................................................eJ......$(......GenuineIntel............T............@f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER214F.tmp.dmp

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  File Type:Mini DuMP crash report, 15 streams, Sun May 12 10:03:11 2024, 0x1205a4 type
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):128110
                                                                                                                                                  Entropy (8bit):1.8527198806427885
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:384:iqaoTaHlue6e+Hte8WepRyu6UuAjdSAWsx3HkfvVM4:N/TUue6eEt/cOPGfdM4
                                                                                                                                                  MD5:8BE259A42CE320284F547ECA648E06FD
                                                                                                                                                  SHA1:861C2E3656EF90BB0B63F2E7E89F46F37D20B0E8
                                                                                                                                                  SHA-256:218BE593563F4EF9AC005139175C0311519AE76C25A5753F508C744D898B1BC8
                                                                                                                                                  SHA-512:E57497F3EDF663765B29E0DF4CF2812611C8CE96492B858E1DA0757AFDD2B968880934B0F7F476C7EF8CDC37791D2DAFB9F1794B631B9D62230DD728425783FA
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:MDMP..a..... ........@f............D...........H...X.......l....%...........U..........`.......8...........T...........xL...............&...........'..............................................................................eJ.......(......GenuineIntel............T............@f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER21FC.tmp.WERInternalMetadata.xml

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):6368
                                                                                                                                                  Entropy (8bit):3.727014031899765
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:R6l7wVeJLuV6kcYizJJrpra89badsf+em:R6lXJo6kcYMJJ1aWf+
                                                                                                                                                  MD5:8D59EA10F8F3A1A09476A275F0FD982F
                                                                                                                                                  SHA1:2B5827F482A6766B2A8C4965EE22E624957F78C4
                                                                                                                                                  SHA-256:388AD2B848669C50A82ED3E83774B706230E782EDF33F9F7FE0C56109474DD44
                                                                                                                                                  SHA-512:3D302461CE04910E922F10A7896545D91A9C82FAD2ED082035AB7C51F44C5CB403CEAEDB15C3C060C292B58769F8CC56434C8397AAB06A5B5A45359B3FCF3CF6
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.4.8.<./.P.i.d.

                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER226A.tmp.WERInternalMetadata.xml

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):6372
                                                                                                                                                  Entropy (8bit):3.727914298468493
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:R6l7wVeJJub6mjTYizJJrpr689baFsf5em:R6lXJk64YMJJVaefp
                                                                                                                                                  MD5:9C9D0BDABF1B2755954555C269B8E11F
                                                                                                                                                  SHA1:54D35F61D2DD9D8D712EB922D3813CFCF8783E72
                                                                                                                                                  SHA-256:C038A9267EB41CC175285F498DC7ED5CDE931640AAE8FC21F18B7F340EA3CB66
                                                                                                                                                  SHA-512:F4B4CE89D094554774839100A0D6E52D112CAFB46B31E05041292AEF766A3E8CBD328B1FEBD4337725EC7474DA9EA46B3DA2C4018DE504F8B49F1F4D8A3CF3F1
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.4.3.6.<./.P.i.

                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER226B.tmp.xml

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):4713
                                                                                                                                                  Entropy (8bit):4.52370810854721
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:cvIwWl8zsdJg77aI9tCWpW8VYwYm8M4Jy8zF3+q8fYAxVyaojrfd:uIjf3I7rD7V4JNJgZxgaojDd
                                                                                                                                                  MD5:95699BB3B22E438924C763D6C79EC250
                                                                                                                                                  SHA1:38B36CED2DB0A8743874741B253BA6DE65B18BFA
                                                                                                                                                  SHA-256:5928ABDD4EFBD48B8B33D14556CA232F84F9DD13A1B0295477647EC736CCA18C
                                                                                                                                                  SHA-512:9E038659D2ED848DE721A335F19D6A353B2CD92DF1E312621DAE47AFD4803DEBE2E78F423AEDDD5D0A6537A8E08F7A0DD2F201EBF9B8A31280823024B5582DF7
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="319745" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                  C:\ProgramData\Microsoft\Windows\WER\Temp\WER22B9.tmp.xml

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):4713
                                                                                                                                                  Entropy (8bit):4.524696941130901
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:cvIwWl8zsdJg77aI9tCWpW8VYXYm8M4Jy8zFK+q8fYZ+Vyaoj/fd:uIjf3I7rD7V3JNogi+gaojHd
                                                                                                                                                  MD5:40FBC326C8424DBCD784075A0FAFB469
                                                                                                                                                  SHA1:FEAD49005144474507B777A5F5ABF4C14A611FE4
                                                                                                                                                  SHA-256:F62F7B554F524977D1B7DF31820B4B4EDF0E85DA703727A92D8C4A0858F904FC
                                                                                                                                                  SHA-512:DF6E823E8D2166CF2C58F3198A6DF3FD910BE1859CD41B0F0B87E2F675431CC48A64BC19C52CF6C858A02A275A73AFE257828DB42E7DB314032B43CF33C3C7F4
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="319745" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                  C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):3241984
                                                                                                                                                  Entropy (8bit):7.9780906837515655
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:98304:0y5rnbPr5he+zDgy3yQ7rDnI19mQxWaF67:0ADbPDQyCErDI19mQxvF6
                                                                                                                                                  MD5:72007357BEB74FEA20E7DAA285212B16
                                                                                                                                                  SHA1:E37F50ACE578FC3A69FB7A312A659D51491E32B0
                                                                                                                                                  SHA-256:6A1BDA6FA37B02776B44C80FC1D8329BD7FBD49FF46EAF37346E5C436A52EC9E
                                                                                                                                                  SHA-512:72A731A1F9DFA6E927665BB5649420A1114FECAAC6E7E30CCDA9028F37C1E6DE582E0F237F5A95CD012603B916C19AA31582729FCBC3D86DB4A2C4B96D6ACC4E
                                                                                                                                                  Malicious:true
                                                                                                                                                  Antivirus:
                                                                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 47%
                                                                                                                                                  • Antivirus: Virustotal, Detection: 59%, Browse
                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L...jR;f...............'.............C............@..........................`............@... .. .... .. ..........P.......p...............................0........................................................................................................<..................@........................@..............@............P...P.......B..............@........................J..............@................p...b...J..............@....rsrc...............................@..@..........y......(...v..............@....data.....".......".................@...................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):26
                                                                                                                                                  Entropy (8bit):3.95006375643621
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:ggPYV:rPYV
                                                                                                                                                  MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                  SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                  SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                  SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\8klzCUsmQMVYazLTWo6KoKU.zip

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):5562
                                                                                                                                                  Entropy (8bit):7.899388839027838
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:9WGzqeAoMq+YK0KF8cAJiI2i+uVy611sFDgsmns0sq0/gL3KJd:RqASpF8wFmHMDgsIsq0/w6Jd
                                                                                                                                                  MD5:72E1DF0B34942CC21E3D5AF1BBC42740
                                                                                                                                                  SHA1:9117F1EDDD55D6E6646EB5B742920368F305FABE
                                                                                                                                                  SHA-256:124FFEB118D235DE2CCDAC22BF23AEC7114033A17BC49183BFCE2E473A1E147B
                                                                                                                                                  SHA-512:E1A33FFB7850B147F1AED4927CCD5470076EA37A3736ACA9091A6E78587DA7D58D46CA9C991416E1552BC50DA8BD8C5CBE08D532F1B6DA8B6706BD22DF78036C
                                                                                                                                                  Malicious:true
                                                                                                                                                  Yara Hits:
                                                                                                                                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\8klzCUsmQMVYazLTWo6KoKU.zip, Author: Joe Security
                                                                                                                                                  Preview:PK........a`.X................Cookies\..PK........a`.XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\OGKFocHES6dDgKTCWPSJdQR.zip

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                  Category:modified
                                                                                                                                                  Size (bytes):5560
                                                                                                                                                  Entropy (8bit):7.899805493655838
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:9WGzqeAoMq+YK0KF8cAJiI2i+upx+xa+uOsp1UIOCrx6wmc03KJm:RqASpF8wFnuOsp86Jm
                                                                                                                                                  MD5:333D01FF0C692D723E5170FDA912B5AF
                                                                                                                                                  SHA1:07D4BEA07B71774D9D0F68EF748CB8741C63830C
                                                                                                                                                  SHA-256:F09CDDEAD24F51F9AC512A6831006FBA2A6E55052B504DEDAA10F47547F17D55
                                                                                                                                                  SHA-512:8143FE17258C37A44F9AC39103F91C88ADA65DADE80D63CDE979C43F9FC55E9EE60AB33C082FD3AD8E3B2E456ED28CDE1456840BDE513DDA624C496CA327B412
                                                                                                                                                  Malicious:true
                                                                                                                                                  Yara Hits:
                                                                                                                                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\OGKFocHES6dDgKTCWPSJdQR.zip, Author: Joe Security
                                                                                                                                                  Preview:PK........a`.X................Cookies\..PK........a`.XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\ZeTvTkc8PqqpWi0gm5JPfdt.zip

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):5564
                                                                                                                                                  Entropy (8bit):7.903318556347248
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:5WGzqeAoMq+YK0KF8cAJiI2i+u8/q9ajB5lfNlAyrEoq4y3KJ2:NqASpF8wF0alQqBy6J2
                                                                                                                                                  MD5:045884CAC8190E44F7ABC2867D46807B
                                                                                                                                                  SHA1:9B7FA398E1FE1FB3B5F027F094674BEA6B69F3BF
                                                                                                                                                  SHA-256:24D8BBA77FD2B7E7E1FF88094B98394065B2E4C33AFE64FEC47329395DB8054F
                                                                                                                                                  SHA-512:17E1E9DC4320F5872267390AF1DE2851614611DC62A75341798771A1F38BEDF0916D7727C57850194BA2EF15E9F5122CC8DC31AA395BE0B7ECBD4B7A66C6B5A4
                                                                                                                                                  Malicious:true
                                                                                                                                                  Yara Hits:
                                                                                                                                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\ZeTvTkc8PqqpWi0gm5JPfdt.zip, Author: Joe Security
                                                                                                                                                  Preview:PK........b`.X................Cookies\..PK........b`.XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E.*.l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3A*p.U5UX....Z.g:*e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O|.....>K......L*...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u|....v...3.;L..U?..b.....u..*..... .......F...P.a...|R*3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:ASCII text, with no line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):13
                                                                                                                                                  Entropy (8bit):2.7773627950641697
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:3:Ll8:Z8
                                                                                                                                                  MD5:FDE07C3E6A4701AADF1451E07AC819DE
                                                                                                                                                  SHA1:7C6F7BD99A9D5E7463A15CB16882F3D215352AEF
                                                                                                                                                  SHA-256:5CD07F7CB46D77804C7AB2CC3036631E3340016D7978A913DEED0053587E1611
                                                                                                                                                  SHA-512:BE51BE5F2DE955BEF34511538CE1E2FB2CDEDECD8DAB79582E28261827B00B8EA9ADD1DAF19597CBC148B039E96B082F2DA08EAB1A95DEB7C0517BD548A6B714
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:1715514971206

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span1kjtHrReFnXF\02zdBXl47cvzcookies.sqlite

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):98304
                                                                                                                                                  Entropy (8bit):0.08235737944063153
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                  MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                  SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                  SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                  SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span1kjtHrReFnXF\19u7ECnptzzlWeb Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):106496
                                                                                                                                                  Entropy (8bit):1.1358696453229276
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span1kjtHrReFnXF\1_QlH4gDMSHgHistory

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):159744
                                                                                                                                                  Entropy (8bit):0.7873599747470391
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                  MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                  SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                  SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                  SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span1kjtHrReFnXF\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):5242880
                                                                                                                                                  Entropy (8bit):0.037963276276857943
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                  MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                  SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                  SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                  SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span1kjtHrReFnXF\66rslgkYekRJHistory

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):159744
                                                                                                                                                  Entropy (8bit):0.7873599747470391
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                  MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                  SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                  SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                  SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span1kjtHrReFnXF\B087runuAKfxWeb Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):106496
                                                                                                                                                  Entropy (8bit):1.1358696453229276
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span1kjtHrReFnXF\ByL8mAxGwSmaWeb Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):114688
                                                                                                                                                  Entropy (8bit):0.9746603542602881
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span1kjtHrReFnXF\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):5242880
                                                                                                                                                  Entropy (8bit):0.037963276276857943
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                  MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                  SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                  SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                  SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span1kjtHrReFnXF\JhTxiIG1NfyxHistory

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):126976
                                                                                                                                                  Entropy (8bit):0.47147045728725767
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                  MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                  SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                  SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                  SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span1kjtHrReFnXF\PJJYS_IpzF0mCookies

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):28672
                                                                                                                                                  Entropy (8bit):2.5793180405395284
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                  MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                  SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                  SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                  SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span1kjtHrReFnXF\azTbUSfG7fMXWeb Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):114688
                                                                                                                                                  Entropy (8bit):0.9746603542602881
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span1kjtHrReFnXF\ctu1BJdIHpHIWeb Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):114688
                                                                                                                                                  Entropy (8bit):0.9746603542602881
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span1kjtHrReFnXF\hxHjRwjYwPT3Login Data For Account

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):40960
                                                                                                                                                  Entropy (8bit):0.8553638852307782
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span1kjtHrReFnXF\mHC5xGA2ZDf7Login Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):40960
                                                                                                                                                  Entropy (8bit):0.8553638852307782
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span1kjtHrReFnXF\otYgbid_VcgTLogin Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):49152
                                                                                                                                                  Entropy (8bit):0.8180424350137764
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                  MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                  SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                  SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                  SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span1kjtHrReFnXF\rMqqLrP0489yHistory

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):126976
                                                                                                                                                  Entropy (8bit):0.47147045728725767
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                  MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                  SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                  SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                  SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span1kjtHrReFnXF\sYcixjslgY3sWeb Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):106496
                                                                                                                                                  Entropy (8bit):1.1358696453229276
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span7qiYjWFiJkre\02zdBXl47cvzcookies.sqlite

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):98304
                                                                                                                                                  Entropy (8bit):0.08235737944063153
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                  MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                  SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                  SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                  SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span7qiYjWFiJkre\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):5242880
                                                                                                                                                  Entropy (8bit):0.037963276276857943
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                  MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                  SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                  SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                  SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span7qiYjWFiJkre\BdOSr6ULfsrrHistory

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):126976
                                                                                                                                                  Entropy (8bit):0.47147045728725767
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                  MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                  SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                  SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                  SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span7qiYjWFiJkre\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):5242880
                                                                                                                                                  Entropy (8bit):0.037963276276857943
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                  MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                  SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                  SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                  SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span7qiYjWFiJkre\HK3i7VEtGMBbWeb Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):114688
                                                                                                                                                  Entropy (8bit):0.9746603542602881
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span7qiYjWFiJkre\ITZ0bicyJ58aHistory

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):159744
                                                                                                                                                  Entropy (8bit):0.7873599747470391
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                  MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                  SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                  SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                  SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span7qiYjWFiJkre\J0EAMZmTySltWeb Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):114688
                                                                                                                                                  Entropy (8bit):0.9746603542602881
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span7qiYjWFiJkre\JsdnoRPI_10LHistory

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):126976
                                                                                                                                                  Entropy (8bit):0.47147045728725767
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                  MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                  SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                  SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                  SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span7qiYjWFiJkre\SBUYXJCvH4fCWeb Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):106496
                                                                                                                                                  Entropy (8bit):1.1358696453229276
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span7qiYjWFiJkre\TRbMB5IbyYCfLogin Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):40960
                                                                                                                                                  Entropy (8bit):0.8553638852307782
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span7qiYjWFiJkre\_2Udgx0R4lC0Login Data For Account

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):40960
                                                                                                                                                  Entropy (8bit):0.8553638852307782
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span7qiYjWFiJkre\fp5Zfw4ryWNTWeb Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):106496
                                                                                                                                                  Entropy (8bit):1.1358696453229276
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span7qiYjWFiJkre\m78YdG3PG6psHistory

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):159744
                                                                                                                                                  Entropy (8bit):0.7873599747470391
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                  MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                  SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                  SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                  SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span7qiYjWFiJkre\rh5eReF6pk1JWeb Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):114688
                                                                                                                                                  Entropy (8bit):0.9746603542602881
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span7qiYjWFiJkre\v8KCsYORX8h7Web Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):106496
                                                                                                                                                  Entropy (8bit):1.1358696453229276
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span7qiYjWFiJkre\x6iuAgWaPHROLogin Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):49152
                                                                                                                                                  Entropy (8bit):0.8180424350137764
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                  MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                  SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                  SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                  SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\span7qiYjWFiJkre\zByDc7TM5G4BCookies

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):28672
                                                                                                                                                  Entropy (8bit):2.5793180405395284
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                  MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                  SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                  SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                  SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\spanr3JGE0E2FYa9\02zdBXl47cvzcookies.sqlite

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):98304
                                                                                                                                                  Entropy (8bit):0.08235737944063153
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                                  MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                                  SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                                  SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                                  SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\spanr3JGE0E2FYa9\3b6N2Xdh3CYwplaces.sqlite

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):5242880
                                                                                                                                                  Entropy (8bit):0.037963276276857943
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                  MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                  SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                  SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                  SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\spanr3JGE0E2FYa9\3vXQ9NJu865mWeb Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):114688
                                                                                                                                                  Entropy (8bit):0.9746603542602881
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\spanr3JGE0E2FYa9\4mK_R6tOoPGgWeb Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):114688
                                                                                                                                                  Entropy (8bit):0.9746603542602881
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\spanr3JGE0E2FYa9\C053a7OlzkOwHistory

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):126976
                                                                                                                                                  Entropy (8bit):0.47147045728725767
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                  MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                  SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                  SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                  SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\spanr3JGE0E2FYa9\D87fZN3R3jFeplaces.sqlite

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):5242880
                                                                                                                                                  Entropy (8bit):0.037963276276857943
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                                                                                                                                  MD5:C0FDF21AE11A6D1FA1201D502614B622
                                                                                                                                                  SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                                                                                                                                  SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                                                                                                                                  SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\spanr3JGE0E2FYa9\DPh3g7VanZ0uLogin Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):49152
                                                                                                                                                  Entropy (8bit):0.8180424350137764
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                                                                                                                                  MD5:349E6EB110E34A08924D92F6B334801D
                                                                                                                                                  SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                                                                                                                                  SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                                                                                                                                  SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\spanr3JGE0E2FYa9\IdCNLqBK5BIzWeb Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):106496
                                                                                                                                                  Entropy (8bit):1.1358696453229276
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\spanr3JGE0E2FYa9\JRPAhKRZ9ZTqHistory

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):159744
                                                                                                                                                  Entropy (8bit):0.7873599747470391
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                  MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                  SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                  SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                  SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\spanr3JGE0E2FYa9\M4EU2Y_AAhWdWeb Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):106496
                                                                                                                                                  Entropy (8bit):1.1358696453229276
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\spanr3JGE0E2FYa9\STqIiTxIo5J7Login Data For Account

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):40960
                                                                                                                                                  Entropy (8bit):0.8553638852307782
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\spanr3JGE0E2FYa9\ad9xHU1sHgxoWeb Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):106496
                                                                                                                                                  Entropy (8bit):1.1358696453229276
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                                                                                                                                  MD5:28591AA4E12D1C4FC761BE7C0A468622
                                                                                                                                                  SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                                                                                                                                  SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                                                                                                                                  SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\spanr3JGE0E2FYa9\oUhaH1047Io5Login Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):40960
                                                                                                                                                  Entropy (8bit):0.8553638852307782
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\spanr3JGE0E2FYa9\opKyAgExHDMyCookies

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):28672
                                                                                                                                                  Entropy (8bit):2.5793180405395284
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                                                                                                                                  MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                                                                                                                                  SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                                                                                                                                  SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                                                                                                                                  SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\spanr3JGE0E2FYa9\rakgGBowKZnMHistory

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):159744
                                                                                                                                                  Entropy (8bit):0.7873599747470391
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                                                                                                                                  MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                                                                                                                                  SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                                                                                                                                  SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                                                                                                                                  SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\spanr3JGE0E2FYa9\sI5BW4MD5Iw7History

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):126976
                                                                                                                                                  Entropy (8bit):0.47147045728725767
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                                                                                                                                  MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                                                                                                                                  SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                                                                                                                                  SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                                                                                                                                  SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\spanr3JGE0E2FYa9\x7WOFKlgU8fPWeb Data

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):114688
                                                                                                                                                  Entropy (8bit):0.9746603542602881
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\trixy1kjtHrReFnXF\Cookies\Chrome_Default.txt

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):6085
                                                                                                                                                  Entropy (8bit):6.038274200863744
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                                                                                                                                  MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                                                                                                                                  SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                                                                                                                                  SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                                                                                                                                  SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\trixy1kjtHrReFnXF\information.txt

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):7024
                                                                                                                                                  Entropy (8bit):5.405842873817507
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:xfOCDCRencT4Aisph+9hcmYemgfhTme1LrXXZEAHRANUbg3x:xgwnvAtphWhcmLmgVJN6B
                                                                                                                                                  MD5:ED318C125F614E4E075ADC28243FF285
                                                                                                                                                  SHA1:DA53435D381FECB8236D3832C8E67A97117CCDB5
                                                                                                                                                  SHA-256:F4B24F83A05A26FD0D263D50B116B6F9F45257AD3F859B2DB1C1799BB821ACEA
                                                                                                                                                  SHA-512:DC202FBB60479376BE95D2617979EF51703BBD29738111E27B20708BABAFC6497F6DA539CAAEE9F9B705E3D93AEAAA0AD0E79BF12538E4832A9BF7E0C7B04FAB
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:Build: tanos..Version: 2.0....Date: Sun May 12 12:03:03 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: ee1dfe812e79685eafc5926398018eff....Path: C:\ProgramData\MPGPH131\MPGPH131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixy1kjtHrReFnXF....IP: 81.181.60.11..Location: US, Seattle..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 116938 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 12/5/2024 12:3:3..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe [784]..

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\trixy1kjtHrReFnXF\passwords.txt

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):4897
                                                                                                                                                  Entropy (8bit):2.518316437186352
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                  MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                  SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                  SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                  SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\trixy7qiYjWFiJkre\Cookies\Chrome_Default.txt

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):6085
                                                                                                                                                  Entropy (8bit):6.038274200863744
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                                                                                                                                  MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                                                                                                                                  SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                                                                                                                                  SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                                                                                                                                  SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\trixy7qiYjWFiJkre\information.txt

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):7024
                                                                                                                                                  Entropy (8bit):5.405300259476804
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:xfO80lCReRcT4Aisph+9hcmYemgfhTme1LrXXZEAHRANUbg3x:xNwRvAtphWhcmLmgVJN6B
                                                                                                                                                  MD5:B25F5DE46F5AFB6B4504680091AFC1A4
                                                                                                                                                  SHA1:618E393F5DCEF7CB9DE6F0F642D24861AF86D0CC
                                                                                                                                                  SHA-256:DEC8266FB7C00518CEBEFDE634EE3171A4E05EC1558203648EABD4301BD0BEC3
                                                                                                                                                  SHA-512:6BCC657EDE9BE50AF34D0D3988EB9E77F332BFD63899578F0A8E95F1BDABA19CDFA6BF391366FDA49FEF36C2B0FED2AE46C27058DA66D4E6A8CE5CA009EF3B81
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:Build: tanos..Version: 2.0....Date: Sun May 12 12:03:05 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: ee1dfe812e79685eafc5926398018eff....Path: C:\ProgramData\MPGPH131\MPGPH131.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixy7qiYjWFiJkre....IP: 81.181.60.11..Location: US, Seattle..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 116938 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 12/5/2024 12:3:5..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe [784]..

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\trixy7qiYjWFiJkre\passwords.txt

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):4897
                                                                                                                                                  Entropy (8bit):2.518316437186352
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                  MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                  SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                  SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                  SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\trixyr3JGE0E2FYa9\Cookies\Chrome_Default.txt

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:ASCII text, with very long lines (769), with CRLF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):6085
                                                                                                                                                  Entropy (8bit):6.038274200863744
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
                                                                                                                                                  MD5:ACB5AD34236C58F9F7D219FB628E3B58
                                                                                                                                                  SHA1:02E39404CA22F1368C46A7B8398F5F6001DB8F5C
                                                                                                                                                  SHA-256:05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
                                                                                                                                                  SHA-512:5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:.google.com.TRUE./.TRUE.1712145003.NID.ENC893*_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893*_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893*_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\trixyr3JGE0E2FYa9\information.txt

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):7019
                                                                                                                                                  Entropy (8bit):5.398038801982099
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:96:xfOaGVOCRe6cT4Aisph+9hcmYemgfhTme1LrXXZEAHRANUbg3x:xjmw6vAtphWhcmLmgVJN6B
                                                                                                                                                  MD5:64E3C5506DC469A135FFD609CB2756FF
                                                                                                                                                  SHA1:60844CBA7C9DD72837A6A76114E037E4ED209A11
                                                                                                                                                  SHA-256:12A961781BA5C671E31DE2E7D12E8958989F94E377ADB047A8554D5477A9CD34
                                                                                                                                                  SHA-512:622C9EA60B194A0A84F55A8D2830CCA375BFFF65A98D0A63FCF577BA4774228F7C085056BB3CD361DB40F72B479CDDC6046A3C975E652F8AA2E0F7AB3C8707EF
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:Build: tanos..Version: 2.0....Date: Sun May 12 12:03:02 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: ee1dfe812e79685eafc5926398018eff....Path: C:\Users\user\Desktop\file.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixyr3JGE0E2FYa9....IP: 81.181.60.11..Location: US, Seattle..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 116938 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 12/5/2024 12:3:2..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe [784]..svcho

                                                                                                                                                  C:\Users\user\AppData\Local\Temp\trixyr3JGE0E2FYa9\passwords.txt

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                                                                  File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):4897
                                                                                                                                                  Entropy (8bit):2.518316437186352
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                                                                                                                                                  MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                                                                                                                                                  SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                                                                                                                                                  SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                                                                                                                                                  SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                  Download File
                                                                                                                                                  Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                  Category:dropped
                                                                                                                                                  Size (bytes):1835008
                                                                                                                                                  Entropy (8bit):4.46902234255053
                                                                                                                                                  Encrypted:false
                                                                                                                                                  SSDEEP:6144:aIXfpi67eLPU9skLmb0b4fWSPKaJG8nAgejZMMhA2gX4WABl0uN2dwBCswSba:vXD94fWlLZMM6YFHU+a
                                                                                                                                                  MD5:ED2CDB80556696E79FEA0B0476130ECF
                                                                                                                                                  SHA1:DB571940C5DE335ADFED1583AD02F21196061878
                                                                                                                                                  SHA-256:4804864D288172513D87F51A6F54E4DA20BDB24ABDFCA550A8FBB8FB0F7B211D
                                                                                                                                                  SHA-512:44CBF02759361376E20C408A0AA833CF28E28E958BBE3480DE41B8A7741DF9FC3B441E04974F8DCE4E4B01BF2C8630E12F715DA56AAE29816987D0850AC4FCCA
                                                                                                                                                  Malicious:false
                                                                                                                                                  Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..K.S................................................................................................................................................................................................................................................................................................................................................s\.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                  Static File Info

                                                                                                                                                  General

                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                  Entropy (8bit):7.9780906837515655
                                                                                                                                                  TrID:
                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                  File name:file.exe
                                                                                                                                                  File size:3'241'984 bytes
                                                                                                                                                  MD5:72007357beb74fea20e7daa285212b16
                                                                                                                                                  SHA1:e37f50ace578fc3a69fb7a312a659d51491e32b0
                                                                                                                                                  SHA256:6a1bda6fa37b02776b44c80fc1d8329bd7fbd49ff46eaf37346e5c436a52ec9e
                                                                                                                                                  SHA512:72a731a1f9dfa6e927665bb5649420a1114fecaac6e7e30ccda9028f37c1e6de582e0f237f5a95cd012603b916c19aa31582729fcbc3d86db4a2c4b96d6acc4e
                                                                                                                                                  SSDEEP:98304:0y5rnbPr5he+zDgy3yQ7rDnI19mQxWaF67:0ADbPDQyCErDI19mQxvF6
                                                                                                                                                  TLSH:1AE533A9C30694BAD74EDEFFDA6094BF043FDDE87AC0E443660128875C75A94383A479
                                                                                                                                                  File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

                                                                                                                                                  File Icon

                                                                                                                                                  Icon Hash:1e637808c76c1d83

                                                                                                                                                  Static PE Info

                                                                                                                                                  General

                                                                                                                                                  Entrypoint:0xf743b0
                                                                                                                                                  Entrypoint Section:.data
                                                                                                                                                  Digitally signed:false
                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                                                                                  Time Stamp:0x663B526A [Wed May 8 10:22:34 2024 UTC]
                                                                                                                                                  TLS Callbacks:
                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                  OS Version Major:6
                                                                                                                                                  OS Version Minor:0
                                                                                                                                                  File Version Major:6
                                                                                                                                                  File Version Minor:0
                                                                                                                                                  Subsystem Version Major:6
                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                  Import Hash:272279f18f704f637aa129691266b291

                                                                                                                                                  Entrypoint Preview

                                                                                                                                                  Instruction
                                                                                                                                                  jmp 00007F1AE8EA10CAh
                                                                                                                                                  add byte ptr [esi+0000000Eh], bl
                                                                                                                                                  add byte ptr [eax], al
                                                                                                                                                  pushad
                                                                                                                                                  call 00007F1AE8EA10C5h
                                                                                                                                                  pop ebp
                                                                                                                                                  sub ebp, 00000010h
                                                                                                                                                  sub ebp, 00B743B0h
                                                                                                                                                  jmp 00007F1AE8EA10C9h
                                                                                                                                                  mov esi, B809D96Dh
                                                                                                                                                  mov al, 43h
                                                                                                                                                  mov bh, 00h
                                                                                                                                                  add eax, ebp
                                                                                                                                                  add eax, 0000004Ch
                                                                                                                                                  mov ecx, 000005A7h
                                                                                                                                                  mov edx, 6FC513ACh
                                                                                                                                                  xor byte ptr [eax], dl
                                                                                                                                                  inc eax
                                                                                                                                                  dec ecx
                                                                                                                                                  jne 00007F1AE8EA10BCh
                                                                                                                                                  jmp 00007F1AE8EA10C9h
                                                                                                                                                  pop ss
                                                                                                                                                  or al, 61h
                                                                                                                                                  pop ds
                                                                                                                                                  daa
                                                                                                                                                  popad
                                                                                                                                                  daa
                                                                                                                                                  and eax, ACACAC90h
                                                                                                                                                  sub eax, ACAC546Dh
                                                                                                                                                  lodsb
                                                                                                                                                  scasd
                                                                                                                                                  popad
                                                                                                                                                  adc al, AAh
                                                                                                                                                  lodsb
                                                                                                                                                  lodsb
                                                                                                                                                  lodsb
                                                                                                                                                  push ss
                                                                                                                                                  test byte ptr [esp+ebp*4-50B1A454h], ch
                                                                                                                                                  daa
                                                                                                                                                  sub eax, ACACACA0h
                                                                                                                                                  scasd
                                                                                                                                                  imul edi, esp, A3B8C4FCh
                                                                                                                                                  mov gs, word ptr [esp+eax*8-53C667D0h]
                                                                                                                                                  lodsd
                                                                                                                                                  or byte ptr [eax+4D08BDC4h], 00000003h
                                                                                                                                                  inc esp
                                                                                                                                                  test eax, 45ACACACh
                                                                                                                                                  call far 88C8h : 21ACACACh
                                                                                                                                                  push eax
                                                                                                                                                  and eax, C0218880h
                                                                                                                                                  mov byte ptr [edi-53535BD7h], ch
                                                                                                                                                  lodsb
                                                                                                                                                  daa
                                                                                                                                                  cmp dword ptr [eax+27ACACACh], esp
                                                                                                                                                  and dword ptr [esp+ebp*4+456DACACh], edi
                                                                                                                                                  scasb
                                                                                                                                                  popfd
                                                                                                                                                  scasb
                                                                                                                                                  das
                                                                                                                                                  outsb
                                                                                                                                                  test al, E5h
                                                                                                                                                  mov dword ptr [53535829h], eax
                                                                                                                                                  push ebx
                                                                                                                                                  daa
                                                                                                                                                  or byte ptr [eax-577737DFh], 0000006Eh

                                                                                                                                                  Data Directories

                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x94b0500xe1e.data
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x94be700x3b0.data
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x1a10000xc8bc.rsrc
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x94b0300x10.data
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x94b0000x18.data
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                  Sections

                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                  0x10000x15c0000x93c00fb91b7bd755d7edf5f38440588fdf254False0.9999917380499154data7.999642093451103IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  0x15d0000x280000x102009a2d1dbb2ecdca4d0d0e514e8aea6c29False0.9983345445736435data7.99632844124323IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  0x1850000x50000x800ed435fb29d4a6ca60e5cf9de6ea89b30False0.99658203125data7.827423983071036IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  0x18a0000xd0000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  0x1970000xa0000x6200753317f0f9bdce2beaa1559920682af2False0.9880022321428571OpenPGP Public Key7.973813310249681IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .rsrc0x1a10000xd0000xca006e46563fc615b7272cc3ab7b669e3874False0.6000541460396039data5.556770173829542IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                  0x1ae0000x79a0000x328008a2ee6a3dca387fe01edde34bddc02b2unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                  .data0x9480000x22e0000x22da00d062e04b8091a4fdaa89a7bd870c306aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                                  Resources

                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                  RT_ICON0x1a13700x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152RussianRussia0.31402439024390244
                                                                                                                                                  RT_ICON0x1a19d80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512RussianRussia0.42338709677419356
                                                                                                                                                  RT_ICON0x1a1cc00x1e8Device independent bitmap graphic, 24 x 48 x 4, image size 288RussianRussia0.5061475409836066
                                                                                                                                                  RT_ICON0x1a1ea80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128RussianRussia0.5675675675675675
                                                                                                                                                  RT_ICON0x1a1fd00xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsRussianRussia0.46961620469083154
                                                                                                                                                  RT_ICON0x1a2e780x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsRussianRussia0.4020758122743682
                                                                                                                                                  RT_ICON0x1a37200x6c8Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colorsRussianRussia0.45506912442396313
                                                                                                                                                  RT_ICON0x1a3de80x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsRussianRussia0.2904624277456647
                                                                                                                                                  RT_ICON0x1a43500x4b55PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedRussianRussia0.9921182266009853
                                                                                                                                                  RT_ICON0x1a8ea80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600RussianRussia0.316701244813278
                                                                                                                                                  RT_ICON0x1ab4500x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224RussianRussia0.36186679174484054
                                                                                                                                                  RT_ICON0x1ac4f80x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400RussianRussia0.42418032786885246
                                                                                                                                                  RT_ICON0x1ace800x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088RussianRussia0.5026595744680851
                                                                                                                                                  RT_GROUP_ICON0x1ad2e80xbcdataRussianRussia0.6170212765957447
                                                                                                                                                  RT_VERSION0x1ad3a40x398OpenPGP Public KeyRussianRussia0.42282608695652174
                                                                                                                                                  RT_MANIFEST0x1ad73c0x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                                                                                                                                  Imports

                                                                                                                                                  DLLImport
                                                                                                                                                  kernel32.dllGetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
                                                                                                                                                  user32.dllMessageBoxA
                                                                                                                                                  advapi32.dllRegCloseKey
                                                                                                                                                  oleaut32.dllSysFreeString
                                                                                                                                                  gdi32.dllCreateFontA
                                                                                                                                                  shell32.dllShellExecuteA
                                                                                                                                                  version.dllGetFileVersionInfoA
                                                                                                                                                  ole32.dllCoInitialize
                                                                                                                                                  WS2_32.dllWSAStartup
                                                                                                                                                  CRYPT32.dllCryptUnprotectData
                                                                                                                                                  SHLWAPI.dllPathFindExtensionA
                                                                                                                                                  gdiplus.dllGdipGetImageEncoders
                                                                                                                                                  SETUPAPI.dllSetupDiEnumDeviceInfo
                                                                                                                                                  ntdll.dllRtlUnicodeStringToAnsiString
                                                                                                                                                  RstrtMgr.DLLRmStartSession

                                                                                                                                                  Possible Origin

                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                  RussianRussia
                                                                                                                                                  EnglishUnited States

                                                                                                                                                  Network Behavior

                                                                                                                                                  Snort IDS Alerts

                                                                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                  05/12/24-12:02:58.333893TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949731147.45.47.126192.168.2.4
                                                                                                                                                  05/12/24-12:02:56.237225TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949730147.45.47.126192.168.2.4
                                                                                                                                                  05/12/24-12:02:57.482973TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949730147.45.47.126192.168.2.4
                                                                                                                                                  05/12/24-12:02:58.992753TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949731147.45.47.126192.168.2.4
                                                                                                                                                  05/12/24-12:03:17.954872TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949751147.45.47.126192.168.2.4
                                                                                                                                                  05/12/24-12:03:05.358724TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973058709192.168.2.4147.45.47.126
                                                                                                                                                  05/12/24-12:03:06.218564TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973158709192.168.2.4147.45.47.126
                                                                                                                                                  05/12/24-12:03:11.796109TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973958709192.168.2.4147.45.47.126
                                                                                                                                                  05/12/24-12:03:08.562034TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4973658709192.168.2.4147.45.47.126
                                                                                                                                                  05/12/24-12:03:00.933956TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)5870949736147.45.47.126192.168.2.4
                                                                                                                                                  05/12/24-12:03:07.984400TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949739147.45.47.126192.168.2.4
                                                                                                                                                  05/12/24-12:03:00.497224TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)5870949736147.45.47.126192.168.2.4
                                                                                                                                                  05/12/24-12:02:55.911761TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4973058709192.168.2.4147.45.47.126

                                                                                                                                                  Network Port Distribution

                                                                                                                                                  TCP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  May 12, 2024 12:02:55.567120075 CEST4973058709192.168.2.4147.45.47.126
                                                                                                                                                  May 12, 2024 12:02:55.901746035 CEST5870949730147.45.47.126192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:55.901832104 CEST4973058709192.168.2.4147.45.47.126
                                                                                                                                                  May 12, 2024 12:02:55.911761045 CEST4973058709192.168.2.4147.45.47.126
                                                                                                                                                  May 12, 2024 12:02:56.237225056 CEST5870949730147.45.47.126192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:56.280395985 CEST4973058709192.168.2.4147.45.47.126
                                                                                                                                                  May 12, 2024 12:02:56.297790051 CEST5870949730147.45.47.126192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:57.482973099 CEST5870949730147.45.47.126192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:57.530386925 CEST4973058709192.168.2.4147.45.47.126
                                                                                                                                                  May 12, 2024 12:02:57.664839983 CEST4973158709192.168.2.4147.45.47.126
                                                                                                                                                  May 12, 2024 12:02:57.792654991 CEST49732443192.168.2.434.117.186.192
                                                                                                                                                  May 12, 2024 12:02:57.792689085 CEST4434973234.117.186.192192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:57.792752028 CEST49732443192.168.2.434.117.186.192
                                                                                                                                                  May 12, 2024 12:02:57.796406031 CEST49732443192.168.2.434.117.186.192
                                                                                                                                                  May 12, 2024 12:02:57.796420097 CEST4434973234.117.186.192192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:57.865272999 CEST5870949730147.45.47.126192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:57.865392923 CEST4973058709192.168.2.4147.45.47.126
                                                                                                                                                  May 12, 2024 12:02:57.999320030 CEST5870949731147.45.47.126192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:57.999427080 CEST4973158709192.168.2.4147.45.47.126
                                                                                                                                                  May 12, 2024 12:02:58.020725012 CEST4973158709192.168.2.4147.45.47.126
                                                                                                                                                  May 12, 2024 12:02:58.132184029 CEST4434973234.117.186.192192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:58.132307053 CEST49732443192.168.2.434.117.186.192
                                                                                                                                                  May 12, 2024 12:02:58.134747982 CEST49732443192.168.2.434.117.186.192
                                                                                                                                                  May 12, 2024 12:02:58.134756088 CEST4434973234.117.186.192192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:58.134980917 CEST4434973234.117.186.192192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:58.182138920 CEST49732443192.168.2.434.117.186.192
                                                                                                                                                  May 12, 2024 12:02:58.228116989 CEST4434973234.117.186.192192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:58.250719070 CEST5870949730147.45.47.126192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:58.333893061 CEST5870949731147.45.47.126192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:58.374147892 CEST4973158709192.168.2.4147.45.47.126
                                                                                                                                                  May 12, 2024 12:02:58.407111883 CEST5870949731147.45.47.126192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:58.516396046 CEST4434973234.117.186.192192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:58.516508102 CEST4434973234.117.186.192192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:58.516649961 CEST49732443192.168.2.434.117.186.192
                                                                                                                                                  May 12, 2024 12:02:58.519298077 CEST49732443192.168.2.434.117.186.192
                                                                                                                                                  May 12, 2024 12:02:58.519311905 CEST4434973234.117.186.192192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:58.519323111 CEST49732443192.168.2.434.117.186.192
                                                                                                                                                  May 12, 2024 12:02:58.519328117 CEST4434973234.117.186.192192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:58.687388897 CEST49733443192.168.2.4104.26.5.15
                                                                                                                                                  May 12, 2024 12:02:58.687406063 CEST44349733104.26.5.15192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:58.687486887 CEST49733443192.168.2.4104.26.5.15
                                                                                                                                                  May 12, 2024 12:02:58.687800884 CEST49733443192.168.2.4104.26.5.15
                                                                                                                                                  May 12, 2024 12:02:58.687812090 CEST44349733104.26.5.15192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:58.992753029 CEST5870949731147.45.47.126192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.024753094 CEST44349733104.26.5.15192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.024858952 CEST49733443192.168.2.4104.26.5.15
                                                                                                                                                  May 12, 2024 12:02:59.027000904 CEST49734443192.168.2.434.117.186.192
                                                                                                                                                  May 12, 2024 12:02:59.027028084 CEST4434973434.117.186.192192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.027089119 CEST49734443192.168.2.434.117.186.192
                                                                                                                                                  May 12, 2024 12:02:59.027559996 CEST49733443192.168.2.4104.26.5.15
                                                                                                                                                  May 12, 2024 12:02:59.027569056 CEST44349733104.26.5.15192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.027791023 CEST44349733104.26.5.15192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.028342962 CEST49734443192.168.2.434.117.186.192
                                                                                                                                                  May 12, 2024 12:02:59.028353930 CEST4434973434.117.186.192192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.028790951 CEST49733443192.168.2.4104.26.5.15
                                                                                                                                                  May 12, 2024 12:02:59.046000957 CEST4973158709192.168.2.4147.45.47.126
                                                                                                                                                  May 12, 2024 12:02:59.076117992 CEST44349733104.26.5.15192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.359721899 CEST4434973434.117.186.192192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.359857082 CEST49734443192.168.2.434.117.186.192
                                                                                                                                                  May 12, 2024 12:02:59.361188889 CEST49734443192.168.2.434.117.186.192
                                                                                                                                                  May 12, 2024 12:02:59.361196995 CEST4434973434.117.186.192192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.361430883 CEST4434973434.117.186.192192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.405425072 CEST49734443192.168.2.434.117.186.192
                                                                                                                                                  May 12, 2024 12:02:59.406560898 CEST49734443192.168.2.434.117.186.192
                                                                                                                                                  May 12, 2024 12:02:59.452124119 CEST4434973434.117.186.192192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.471086025 CEST44349733104.26.5.15192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.471167088 CEST44349733104.26.5.15192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.471221924 CEST49733443192.168.2.4104.26.5.15
                                                                                                                                                  May 12, 2024 12:02:59.471395969 CEST49733443192.168.2.4104.26.5.15
                                                                                                                                                  May 12, 2024 12:02:59.471414089 CEST44349733104.26.5.15192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.471421957 CEST49733443192.168.2.4104.26.5.15
                                                                                                                                                  May 12, 2024 12:02:59.471431017 CEST44349733104.26.5.15192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.477407932 CEST4973058709192.168.2.4147.45.47.126
                                                                                                                                                  May 12, 2024 12:02:59.737987995 CEST4434973434.117.186.192192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.738090992 CEST4434973434.117.186.192192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.738152027 CEST49734443192.168.2.434.117.186.192
                                                                                                                                                  May 12, 2024 12:02:59.738424063 CEST49734443192.168.2.434.117.186.192
                                                                                                                                                  May 12, 2024 12:02:59.738440037 CEST4434973434.117.186.192192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.738456964 CEST49734443192.168.2.434.117.186.192
                                                                                                                                                  May 12, 2024 12:02:59.738464117 CEST4434973434.117.186.192192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.758518934 CEST49735443192.168.2.4104.26.5.15
                                                                                                                                                  May 12, 2024 12:02:59.758541107 CEST44349735104.26.5.15192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.758618116 CEST49735443192.168.2.4104.26.5.15
                                                                                                                                                  May 12, 2024 12:02:59.758980036 CEST49735443192.168.2.4104.26.5.15
                                                                                                                                                  May 12, 2024 12:02:59.758991003 CEST44349735104.26.5.15192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.826524019 CEST4973658709192.168.2.4147.45.47.126
                                                                                                                                                  May 12, 2024 12:02:59.860637903 CEST5870949730147.45.47.126192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.913671970 CEST5870949730147.45.47.126192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:59.946177006 CEST4973058709192.168.2.4147.45.47.126
                                                                                                                                                  May 12, 2024 12:03:00.048217058 CEST5870949731147.45.47.126192.168.2.4
                                                                                                                                                  May 12, 2024 12:03:00.048409939 CEST4973158709192.168.2.4147.45.47.126
                                                                                                                                                  May 12, 2024 12:03:00.091185093 CEST44349735104.26.5.15192.168.2.4
                                                                                                                                                  May 12, 2024 12:03:00.091243982 CEST49735443192.168.2.4104.26.5.15
                                                                                                                                                  May 12, 2024 12:03:00.092709064 CEST49735443192.168.2.4104.26.5.15
                                                                                                                                                  May 12, 2024 12:03:00.092717886 CEST44349735104.26.5.15192.168.2.4
                                                                                                                                                  May 12, 2024 12:03:00.092943907 CEST44349735104.26.5.15192.168.2.4
                                                                                                                                                  May 12, 2024 12:03:00.094624996 CEST49735443192.168.2.4104.26.5.15
                                                                                                                                                  May 12, 2024 12:03:00.136125088 CEST44349735104.26.5.15192.168.2.4
                                                                                                                                                  May 12, 2024 12:03:00.161361933 CEST5870949736147.45.47.126192.168.2.4
                                                                                                                                                  May 12, 2024 12:03:00.161461115 CEST4973658709192.168.2.4147.45.47.126

                                                                                                                                                  UDP Packets

                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                  May 12, 2024 12:02:57.623099089 CEST5883953192.168.2.41.1.1.1
                                                                                                                                                  May 12, 2024 12:02:57.786385059 CEST53588391.1.1.1192.168.2.4
                                                                                                                                                  May 12, 2024 12:02:58.521739006 CEST5831653192.168.2.41.1.1.1
                                                                                                                                                  May 12, 2024 12:02:58.686448097 CEST53583161.1.1.1192.168.2.4

                                                                                                                                                  DNS Queries

                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                  May 12, 2024 12:02:57.623099089 CEST192.168.2.41.1.1.10xb47Standard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                                                                                                                                                  May 12, 2024 12:02:58.521739006 CEST192.168.2.41.1.1.10x257cStandard query (0)db-ip.comA (IP address)IN (0x0001)false

                                                                                                                                                  DNS Answers

                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                  May 12, 2024 12:02:57.786385059 CEST1.1.1.1192.168.2.40xb47No error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                                                                                                                                                  May 12, 2024 12:02:58.686448097 CEST1.1.1.1192.168.2.40x257cNo error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false
                                                                                                                                                  May 12, 2024 12:02:58.686448097 CEST1.1.1.1192.168.2.40x257cNo error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false
                                                                                                                                                  May 12, 2024 12:02:58.686448097 CEST1.1.1.1192.168.2.40x257cNo error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false

                                                                                                                                                  HTTP Request Dependency Graph

                                                                                                                                                  • https:
                                                                                                                                                    • ipinfo.io
                                                                                                                                                  • db-ip.com

                                                                                                                                                  Statistics

                                                                                                                                                  Behavior

                                                                                                                                                  Click to jump to process

                                                                                                                                                  System Behavior

                                                                                                                                                  General

                                                                                                                                                  Target ID:0
                                                                                                                                                  Start time:12:02:51
                                                                                                                                                  Start date:12/05/2024
                                                                                                                                                  Path:C:\Users\user\Desktop\file.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                                                                  Imagebase:0xbb0000
                                                                                                                                                  File size:3'241'984 bytes
                                                                                                                                                  MD5 hash:72007357BEB74FEA20E7DAA285212B16
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2017190533.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000000.00000002.2015608699.0000000000BB1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2016612734.00000000018C4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1754759356.00000000018FE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:1
                                                                                                                                                  Start time:12:02:54
                                                                                                                                                  Start date:12/05/2024
                                                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                                                                                                                                  Imagebase:0x510000
                                                                                                                                                  File size:187'904 bytes
                                                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:2
                                                                                                                                                  Start time:12:02:54
                                                                                                                                                  Start date:12/05/2024
                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:3
                                                                                                                                                  Start time:12:02:54
                                                                                                                                                  Start date:12/05/2024
                                                                                                                                                  Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  Imagebase:0xf00000
                                                                                                                                                  File size:3'241'984 bytes
                                                                                                                                                  MD5 hash:72007357BEB74FEA20E7DAA285212B16
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000003.00000002.2026410193.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000003.00000002.2025872612.00000000009AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000003.00000002.2026784616.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000003.00000003.1763214228.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Antivirus matches:
                                                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                                                  • Detection: 47%, ReversingLabs
                                                                                                                                                  • Detection: 59%, Virustotal, Browse
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:4
                                                                                                                                                  Start time:12:02:54
                                                                                                                                                  Start date:12/05/2024
                                                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                                                                                                                                  Imagebase:0x510000
                                                                                                                                                  File size:187'904 bytes
                                                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:5
                                                                                                                                                  Start time:12:02:54
                                                                                                                                                  Start date:12/05/2024
                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                  Imagebase:0x7ff7699e0000
                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:6
                                                                                                                                                  Start time:12:02:56
                                                                                                                                                  Start date:12/05/2024
                                                                                                                                                  Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                                                                                                                                  Imagebase:0xf00000
                                                                                                                                                  File size:3'241'984 bytes
                                                                                                                                                  MD5 hash:72007357BEB74FEA20E7DAA285212B16
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2038444283.00000000008D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000006.00000002.2039072826.0000000000F01000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000003.1786714219.0000000000999000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000002.2038444283.0000000000857000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:7
                                                                                                                                                  Start time:12:03:02
                                                                                                                                                  Start date:12/05/2024
                                                                                                                                                  Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                                                                                                                  Imagebase:0xb80000
                                                                                                                                                  File size:3'241'984 bytes
                                                                                                                                                  MD5 hash:72007357BEB74FEA20E7DAA285212B16
                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000007.00000002.1858273700.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                                  Antivirus matches:
                                                                                                                                                  • Detection: 100%, Joe Sandbox ML
                                                                                                                                                  • Detection: 47%, ReversingLabs
                                                                                                                                                  • Detection: 59%, Virustotal, Browse
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:10
                                                                                                                                                  Start time:12:03:06
                                                                                                                                                  Start date:12/05/2024
                                                                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 2028
                                                                                                                                                  Imagebase:0xfd0000
                                                                                                                                                  File size:483'680 bytes
                                                                                                                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:13
                                                                                                                                                  Start time:12:03:10
                                                                                                                                                  Start date:12/05/2024
                                                                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1436 -s 1956
                                                                                                                                                  Imagebase:0xfd0000
                                                                                                                                                  File size:483'680 bytes
                                                                                                                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:15
                                                                                                                                                  Start time:12:03:10
                                                                                                                                                  Start date:12/05/2024
                                                                                                                                                  Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 648 -s 1908
                                                                                                                                                  Imagebase:0xfd0000
                                                                                                                                                  File size:483'680 bytes
                                                                                                                                                  MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                  Reputation:high
                                                                                                                                                  Has exited:true

                                                                                                                                                  General

                                                                                                                                                  Target ID:16
                                                                                                                                                  Start time:12:03:13
                                                                                                                                                  Start date:12/05/2024
                                                                                                                                                  Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                  Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                                                                                                                                  Imagebase:0xb80000
                                                                                                                                                  File size:3'241'984 bytes
                                                                                                                                                  MD5 hash:72007357BEB74FEA20E7DAA285212B16
                                                                                                                                                  Has elevated privileges:false
                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                  Programmed in:Borland Delphi
                                                                                                                                                  Yara matches:
                                                                                                                                                  • Rule: JoeSecurity_PrivateLoader, Description: Yara detected PrivateLoader, Source: 00000010.00000002.1922715500.0000000000B81000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                                                                                                                                  Reputation:low
                                                                                                                                                  Has exited:true

                                                                                                                                                  Disassembly

                                                                                                                                                  No disassembly