Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

AlCsIOd0pd.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.966792574709497
Filename:	AlCsIOd0pd.exe
Filesize:	3259920
MD5:	de584dd4970a8099454611ee0c739ea8
SHA1:	f22fe3bfb22b55d1f0dc2fd802a32d2beb157e0b
SHA256:	d0eff53cfd30f061451987b4e98205d81f9495e8f26def46aec15f7a4c171c20
SHA512:	58470ab84c35022860036cb5dfdccec9bb1f1ebea37e4745efc70c464e2ffb9b9835a1251cdf76c012f56dd0a72a4d448b0ac298da02f4676ebcccc03b2a0b76
SSDEEP:	98304:t+VDlD+ah2X5f2CiioP8peU/Ju4+iU2lfOZy81+1l:AnZYuTcRxuZiUiW9+1l
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Contains functionality to inject threads in other processes	HIPS / PFW / Operating System Protection Evasion
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion	Virtualization/Sandbox Evasion
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	File and Directory Discovery
Tries to evade debugger and weak emulator (self modifying code)	Malware Analysis System Evasion
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	File and Directory Discovery
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
Contains functionality to download additional files from the internet	Networking	Ingress Tool Transfer
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to modify the execution of threads in other processes
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery System Information Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder File and Directory Discovery
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)	Malware Analysis System Evasion
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary	File and Directory Discovery
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\MPGPH131\MPGPH131.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\ProgramData\MPGPH131\MPGPH131.exe
Category:	dropped
Dump:	MPGPH131.exe.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\AlCsIOd0pd.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.966792574709497
Encrypted:	false
Ssdeep:	98304:t+VDlD+ah2X5f2CiioP8peU/Ju4+iU2lfOZy81+1l:AnZYuTcRxuZiUiW9+1l
Size:	3259920
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to inject threads in other processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Machine Learning detection for dropped file	AV Detection
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier
Category:	dropped
Dump:	MPGPH131.exe_Zone.Identifier.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\AlCsIOd0pd.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to inject threads in other processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Machine Learning detection for dropped file	AV Detection
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Category:	dropped
Dump:	RageMP131.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\AlCsIOd0pd.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.966792574709497
Encrypted:	false
Ssdeep:	98304:t+VDlD+ah2X5f2CiioP8peU/Ju4+iU2lfOZy81+1l:AnZYuTcRxuZiUiW9+1l
Size:	3259920
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier
Category:	dropped
Dump:	RageMP131.exe_Zone.Identifier.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\AlCsIOd0pd.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)	Malware Analysis System Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

ASCII text, with no line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Temp\rage131MP.tmp
Category:	modified
Dump:	rage131MP.tmp.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\AlCsIOd0pd.exe
Type:	ASCII text, with no line terminators
Entropy:	2.8731406795131336
Encrypted:	false
Ssdeep:	3:L1VRXxn:TRXxn
Size:	13
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\AlCsIOd0pd.exe

"C:\Users\user\Desktop\AlCsIOd0pd.exe"

Details

Is windows:	false
Is dropped:	false
PID:	4852
Target ID:	0
Parent PID:	2580
Name:	AlCsIOd0pd.exe
Path:	C:\Users\user\Desktop\AlCsIOd0pd.exe
Commandline:	"C:\Users\user\Desktop\AlCsIOd0pd.exe"
Size:	3259920
MD5:	DE584DD4970A8099454611EE0C739EA8
Time:	12:16:14
Date:	20/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	8282112
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Multi AV Scanner detection for submitted file	AV Detection
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample is known by Antivirus	System Summary
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Details

Is windows:	true
Is dropped:	false
PID:	1900
Target ID:	1
Parent PID:	4852
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	12:16:16
Date:	20/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xb50000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Details

Is windows:	true
Is dropped:	false
PID:	2004
Target ID:	3
Parent PID:	4852
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	12:16:16
Date:	20/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0xb50000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Spawns processes	System Summary	Process Injection

C:\ProgramData\MPGPH131\MPGPH131.exe

Details

Is windows:	false
Is dropped:	true
PID:	5644
Target ID:	5
Parent PID:	1044
Name:	MPGPH131.exe
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Size:	3259920
MD5:	DE584DD4970A8099454611EE0C739EA8
Time:	12:16:18
Date:	20/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	8282112
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\ProgramData\MPGPH131\MPGPH131.exe

Details

Is windows:	false
Is dropped:	true
PID:	5740
Target ID:	6
Parent PID:	1044
Name:	MPGPH131.exe
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Size:	3259920
MD5:	DE584DD4970A8099454611EE0C739EA8
Time:	12:16:18
Date:	20/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	8282112
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"

Details

Is windows:	false
Is dropped:	true
PID:	3720
Target ID:	7
Parent PID:	2580
Name:	RageMP131.exe
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Size:	3259920
MD5:	DE584DD4970A8099454611EE0C739EA8
Time:	12:16:29
Date:	20/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x400000
Modulesize:	8282112
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"

Details

Is windows:	false
Is dropped:	true
PID:	4460
Target ID:	11
Parent PID:	2580
Name:	RageMP131.exe
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Size:	3259920
MD5:	DE584DD4970A8099454611EE0C739EA8
Time:	12:16:37
Date:	20/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x400000
Modulesize:	8282112
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	4304
Target ID:	2
Parent PID:	1900
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	12:16:16
Date:	20/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	6128
Target ID:	4
Parent PID:	2004
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	12:16:16
Date:	20/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll

unknown

Details

Name:	https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\AlCsIOd0pd.exe
Source:	AlCsIOd0pd.exe, 00000000.00000003.1748570602.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, AlCsIOd0pd.exe, 00000000.00000002.3251443342.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1783897542.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3252220820.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.3251589290.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1784572733.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3251444322.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1896625468.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.1976471958.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3251481803.000000000055D000.00000002.00000001.01000000.00000005.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://t.me/RiseProSUPPORTX

unknown

http://www.winimage.com/zLibDll

unknown

Details

Name:	http://www.winimage.com/zLibDll
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\AlCsIOd0pd.exe
Source:	AlCsIOd0pd.exe, 00000000.00000003.1748570602.0000000000CD0000.00000004.00001000.00020000.00000000.sdmp, AlCsIOd0pd.exe, 00000000.00000002.3251443342.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000003.1783897542.0000000002850000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3252220820.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.3251589290.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1784572733.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3251444322.000000000055D000.00000002.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000003.1896625468.0000000002850000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.1976471958.0000000002840000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3251481803.000000000055D000.00000002.00000001.01000000.00000005.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://t.me/RiseProSUPPORT

unknown

Details

Name:	https://t.me/RiseProSUPPORT
TargetID:	0
From Memory:	true
Current Path:	C:\Users\user\Desktop\AlCsIOd0pd.exe
Source:	AlCsIOd0pd.exe, 00000000.00000002.3253969387.0000000000D1E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.3255069543.0000000000CED000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3253912060.0000000000C37000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.3253787477.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3253822490.0000000000E38000.00000004.00000020.00020000.00000000.sdmp

Signature Hits	Behavior Group	Mitre Attack
URLs found in memory or binary data	Networking

https://ipinfo.io/

unknown

https://t.me/RiseProSUPPORTB

unknown

https://t.me/RiseProSUPPORToE

unknown

https://www.maxmind.com/en/locate-my-ip-address

unknown

Details

Name:	https://www.maxmind.com/en/locate-my-ip-address
TargetID:	5
From Memory:	true
Current Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Source:	MPGPH131.exe

Signature Hits	Behavior Group	Mitre Attack
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
URLs found in memory or binary data	Networking

IPs

Domain

Country

Malicious

77.91.77.66

unknown

Russian Federation

Details

IP:	77.91.77.66
TargetID:	0
Current Path:	C:\Users\user\Desktop\AlCsIOd0pd.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	42861
ASN name:	FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

RageMP131

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	RageMP131
Value data:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

55D000

unkown

page readonly

D20000

direct allocation

page read and write

D36000

heap

page read and write

FDF000

stack

page read and write

76E000

unkown

page execute and read and write

D86000

heap

page read and write

774000

unkown

page execute and read and write

400000

unkown

page readonly

778000

unkown

page execute and read and write

73D000

unkown

page execute and read and write

739000

unkown

page execute and read and write

762000

unkown

page execute and read and write

D3A000

heap

page read and write

2930000

heap

page read and write

596000

unkown

page read and write

DA2000

heap

page read and write

741000

unkown

page execute and read and write

747000

unkown

page execute and read and write

D62000

heap

page read and write

55D000

unkown

page readonly

CD0000

direct allocation

page read and write

77A000

unkown

page execute and read and write

4C7E000

stack

page read and write

772000

unkown

page execute and read and write

735000

unkown

page execute and read and write

400000

unkown

page readonly

980000

unkown

page execute read

762000

unkown

page execute and read and write

2840000

direct allocation

page read and write

2840000

direct allocation

page read and write

C97000

heap

page read and write

E8F000

heap

page read and write

980000

unkown

page execute read

757000

unkown

page execute and read and write

D20000

heap

page read and write

E6F000

heap

page read and write

28A0000

direct allocation

page read and write

980000

unkown

page execute read

598000

unkown

page execute and read and write

2A3E000

stack

page read and write

774000

unkown

page execute and read and write

C65000

heap

page read and write

C20000

direct allocation

page read and write

C25000

heap

page read and write

D49000

heap

page read and write

D7C000

heap

page read and write

2840000

direct allocation

page read and write

585000

unkown

page read and write

76A000

unkown

page execute and read and write

C56000

heap

page read and write

55D000

unkown

page readonly

C30000

heap

page read and write

73B000

unkown

page execute and read and write

73B000

unkown

page execute and read and write

4D7F000

stack

page read and write

401000

unkown

page execute read

D20000

direct allocation

page read and write

596000

unkown

page read and write

9B000

stack

page read and write

2820000

heap

page read and write

E38000

heap

page read and write

58A000

unkown

page readonly

2850000

direct allocation

page read and write

CB0000

direct allocation

page read and write

58A000

unkown

page readonly

585000

unkown

page read and write

7B0000

unkown

page execute and read and write

19C000

stack

page read and write

4C5E000

stack

page read and write

776000

unkown

page execute and read and write

4DBE000

stack

page read and write

76E000

unkown

page execute and read and write

58A000

unkown

page readonly

400000

unkown

page readonly

58A000

unkown

page readonly

C97000

heap

page read and write

778000

unkown

page execute and read and write

735000

unkown

page execute and read and write

D10000

heap

page read and write

55D000

unkown

page readonly

CB0000

heap

page read and write

2AF0000

heap

page read and write

77A000

unkown

page execute and read and write

E7C000

heap

page read and write

4CFE000

stack

page read and write

C45000

heap

page read and write

747000

unkown

page execute and read and write

E75000

heap

page read and write

55D000

unkown

page readonly

D21000

heap

page read and write

E97000

heap

page read and write

585000

unkown

page write copy

73D000

unkown

page execute and read and write

762000

unkown

page execute and read and write

747000

unkown

page execute and read and write

D51000

heap

page read and write

778000

unkown

page execute and read and write

401000

unkown

page execute read

73B000

unkown

page execute and read and write

401000

unkown

page execute read

D81000

heap

page read and write

75E000

unkown

page execute and read and write

9B000

stack

page read and write

585000

unkown

page write copy

776000

unkown

page execute and read and write

74B000

unkown

page execute and read and write

74B000

unkown

page execute and read and write

C8F000

heap

page read and write

739000

unkown

page execute and read and write

C55000

heap

page read and write

D30000

heap

page read and write

980000

unkown

page execute read

1F0000

heap

page read and write

757000

unkown

page execute and read and write

739000

unkown

page execute and read and write

400000

unkown

page readonly

401000

unkown

page execute read

CD0000

direct allocation

page read and write

29F0000

heap

page read and write

772000

unkown

page execute and read and write

4DDE000

stack

page read and write

73B000

unkown

page execute and read and write

772000

unkown

page execute and read and write

786000

unkown

page execute and read and write

75E000

unkown

page execute and read and write

2944000

heap

page read and write

55D000

unkown

page readonly

C78000

heap

page read and write

55D000

unkown

page readonly

D00000

direct allocation

page read and write

7B0000

unkown

page execute and read and write

735000

unkown

page execute and read and write

C61000

heap

page read and write

293E000

stack

page read and write

D88000

heap

page read and write

73D000

unkown

page execute and read and write

401000

unkown

page execute read

D3F000

heap

page read and write

CD0000

direct allocation

page read and write

76A000

unkown

page execute and read and write

733000

unkown

page execute and read and write

E7F000

heap

page read and write

786000

unkown

page execute and read and write

2970000

direct allocation

page read and write

D3A000

heap

page read and write

D4C000

heap

page read and write

7B0000

unkown

page execute and read and write

737000

unkown

page execute and read and write

2850000

direct allocation

page read and write

739000

unkown

page execute and read and write

D75000

heap

page read and write

19C000

stack

page read and write

BF0000

heap

page read and write

757000

unkown

page execute and read and write

FAF000

stack

page read and write

1F5000

heap

page read and write

75C000

unkown

page execute and read and write

980000

unkown

page execute read

CED000

heap

page read and write

55D000

unkown

page readonly

D5B000

heap

page read and write

75E000

unkown

page execute and read and write

759000

unkown

page execute and read and write

747000

unkown

page execute and read and write

76E000

unkown

page execute and read and write

737000

unkown

page execute and read and write

2850000

direct allocation

page read and write

9B000

stack

page read and write

E2F000

stack

page read and write

BF0000

heap

page read and write

2850000

direct allocation

page read and write

9B000

stack

page read and write

4A52000

heap

page read and write

733000

unkown

page execute and read and write

D25000

heap

page read and write

585000

unkown

page write copy

75C000

unkown

page execute and read and write

77A000

unkown

page execute and read and write

733000

unkown

page execute and read and write

596000

unkown

page read and write

C00000

heap

page read and write

CE0000

heap

page read and write

75E000

unkown

page execute and read and write

D79000

heap

page read and write

58A000

unkown

page readonly

596000

unkown

page write copy

73D000

unkown

page execute and read and write

76C000

unkown

page execute and read and write

757000

unkown

page execute and read and write

19C000

stack

page read and write

585000

unkown

page read and write

731000

unkown

page execute and read and write

741000

unkown

page execute and read and write

737000

unkown

page execute and read and write

596000

unkown

page read and write

D10000

heap

page read and write

2850000

direct allocation

page read and write

2850000

direct allocation

page read and write

778000

unkown

page execute and read and write

770000

unkown

page execute and read and write

4EBF000

stack

page read and write

401000

unkown

page execute read

585000

unkown

page write copy

786000

unkown

page execute and read and write

DA2000

heap

page read and write

774000

unkown

page execute and read and write

2850000

direct allocation

page read and write

58A000

unkown

page readonly

19C000

stack

page read and write

D64000

heap

page read and write

C00000

heap

page read and write

75E000

unkown

page execute and read and write

400000

unkown

page readonly

400000

unkown

page readonly

757000

unkown

page execute and read and write

E30000

heap

page read and write

735000

unkown

page execute and read and write

768000

unkown

page execute and read and write

9B000

stack

page read and write

D6D000

heap

page read and write

E3E000

stack

page read and write

786000

unkown

page execute and read and write

2890000

heap

page read and write

759000

unkown

page execute and read and write

58A000

unkown

page readonly

759000

unkown

page execute and read and write

2820000

direct allocation

page read and write

C76000

heap

page read and write

75C000

unkown

page execute and read and write

D1A000

heap

page read and write

D83000

heap

page read and write

401000

unkown

page execute read

741000

unkown

page execute and read and write

CD0000

direct allocation

page read and write

772000

unkown

page execute and read and write

C00000

heap

page read and write

D1B000

heap

page read and write

741000

unkown

page execute and read and write

D00000

heap

page read and write

E97000

heap

page read and write

774000

unkown

page execute and read and write

76C000

unkown

page execute and read and write

2830000

heap

page read and write

19C000

stack

page read and write

E77000

heap

page read and write

D81000

heap

page read and write

D2F000

heap

page read and write

E6E000

stack

page read and write

596000

unkown

page write copy

58A000

unkown

page readonly

29E0000

heap

page read and write

D72000

heap

page read and write

292E000

stack

page read and write

D16000

heap

page read and write

2850000

direct allocation

page read and write

76C000

unkown

page execute and read and write

D9A000

heap

page read and write

737000

unkown

page execute and read and write

778000

unkown

page execute and read and write

73F000

unkown

page execute and read and write

770000

unkown

page execute and read and write

C20000

heap

page read and write

980000

unkown

page execute read

596000

unkown

page write copy

770000

unkown

page execute and read and write

76A000

unkown

page execute and read and write

4EDF000

stack

page read and write

4CEE000

stack

page read and write

73B000

unkown

page execute and read and write

293E000

stack

page read and write

76A000

unkown

page execute and read and write

CEA000

heap

page read and write

D7F000

heap

page read and write

C40000

heap

page read and write

585000

unkown

page read and write

585000

unkown

page read and write

2850000

direct allocation

page read and write

731000

unkown

page execute and read and write

2960000

heap

page read and write

CD0000

direct allocation

page read and write

77A000

unkown

page execute and read and write

2850000

direct allocation

page read and write

598000

unkown

page execute and read and write

731000

unkown

page execute and read and write

733000

unkown

page execute and read and write

400000

unkown

page readonly

4971000

heap

page read and write

2830000

direct allocation

page read and write

D3E000

heap

page read and write

585000

unkown

page write copy

786000

unkown

page execute and read and write

E8C000

heap

page read and write

73F000

unkown

page execute and read and write

28F0000

heap

page read and write

C6F000

heap

page read and write

76E000

unkown

page execute and read and write

400000

unkown

page readonly

768000

unkown

page execute and read and write

768000

unkown

page execute and read and write

4B00000

heap

page read and write

2820000

heap

page read and write

598000

unkown

page execute and read and write

770000

unkown

page execute and read and write

76C000

unkown

page execute and read and write

731000

unkown

page execute and read and write

C50000

heap

page read and write

29F0000

heap

page read and write

73F000

unkown

page execute and read and write

C7F000

heap

page read and write

4A03000

heap

page read and write

980000

unkown

page execute read

598000

unkown

page execute and read and write

2940000

direct allocation

page read and write

768000

unkown

page execute and read and write

598000

unkown

page execute and read and write

401000

unkown

page execute read

D6A000

heap

page read and write

596000

unkown

page write copy

776000

unkown

page execute and read and write

2A40000

heap

page read and write

737000

unkown

page execute and read and write

762000

unkown

page execute and read and write

58A000

unkown

page readonly

D51000

heap

page read and write

D34000

heap

page read and write

596000

unkown

page write copy

772000

unkown

page execute and read and write

76C000

unkown

page execute and read and write

73D000

unkown

page execute and read and write

401000

unkown

page execute read

596000

unkown

page read and write

74B000

unkown

page execute and read and write

D81000

heap

page read and write

739000

unkown

page execute and read and write

2840000

direct allocation

page read and write

735000

unkown

page execute and read and write

D47000

heap

page read and write

D0E000

stack

page read and write

733000

unkown

page execute and read and write

C4E000

stack

page read and write

73F000

unkown

page execute and read and write

759000

unkown

page execute and read and write

400000

unkown

page readonly

980000

unkown

page execute read

C00000

heap

page read and write

C10000

heap

page read and write

401000

unkown

page execute read

4D9F000

stack

page read and write

731000

unkown

page execute and read and write

741000

unkown

page execute and read and write

4A09000

heap

page read and write

293E000

stack

page read and write

76E000

unkown

page execute and read and write

980000

unkown

page execute read

58A000

unkown

page readonly

776000

unkown

page execute and read and write

D1E000

heap

page read and write

747000

unkown

page execute and read and write

D8B000

heap

page read and write

7B0000

unkown

page execute and read and write

BF0000

heap

page read and write

F6F000

stack

page read and write

768000

unkown

page execute and read and write

F3F000

stack

page read and write

C20000

heap

page read and write

D43000

heap

page read and write

7B0000

unkown

page execute and read and write

74B000

unkown

page execute and read and write

D8F000

heap

page read and write

776000

unkown

page execute and read and write

762000

unkown

page execute and read and write

400000

unkown

page readonly

774000

unkown

page execute and read and write

55D000

unkown

page readonly

4C9E000

stack

page read and write

C8E000

stack

page read and write

74B000

unkown

page execute and read and write

E61000

heap

page read and write

2A3E000

stack

page read and write

BF0000

heap

page read and write

CD0000

direct allocation

page read and write

D64000

heap

page read and write

292E000

stack

page read and write

E66000

heap

page read and write

C37000

heap

page read and write

770000

unkown

page execute and read and write

55D000

unkown

page readonly

D51000

heap

page read and write

759000

unkown

page execute and read and write

73F000

unkown

page execute and read and write

980000

unkown

page execute read

77A000

unkown

page execute and read and write

D2B000

heap

page read and write

75C000

unkown

page execute and read and write

75C000

unkown

page execute and read and write

294F000

heap

page read and write

76A000

unkown

page execute and read and write

There are 387 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
AlCsIOd0pd.exe

Files

Processes

URLs

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportAlCsIOd0pd.exe

Files

Processes

URLs

IPs

Registry

Memdumps

IOC Report
AlCsIOd0pd.exe