Windows Analysis Report
YnsEArPlqx.exe

Overview

General Information

Sample name: YnsEArPlqx.exe
renamed because original name is a hash value
Original sample name: ab8e88bff0b907fc49b949d704490018.exe
Analysis ID: 1460294
MD5: ab8e88bff0b907fc49b949d704490018
SHA1: 559f2f2b61bd344293f7cbc78b72d8e368910ae3
SHA256: 921c5314fc334bac928a8398da1c8341b1021cf92ae83bf8b872d422f2e7ef8f
Tags: exeRiseProStealer
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found stalling execution ending in API Sleep call
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Uses schtasks.exe or at.exe to add and modify task schedules
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://77.91.77.81/mine/amadka.exeisepro_bot Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/go.exe Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe3377b Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe.1 Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/lenin.exe0.1 Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/lenin.e Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exeB Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/go.exeT3EU Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exeisepro_botA% Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/lenin.exek.com Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/go.exew9u Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/lenin.exe/risepro Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe0.1 Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/go.exeOP Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/lenin.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: YnsEArPlqx.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: YnsEArPlqx.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError, 0_2_00431F9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00431F9C FindClose,FindFirstFileExW,GetLastError, 6_2_00431F9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00431F9C FindClose,FindFirstFileExW,GetLastError, 7_2_00431F9C

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49731 -> 77.91.77.66:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49731 -> 77.91.77.66:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49732
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49733
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 77.91.77.66:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49733 -> 77.91.77.66:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49739
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49739 -> 77.91.77.66:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49741
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49741 -> 77.91.77.66:58709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49732
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49733
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49739
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49741
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49731 -> 77.91.77.66:58709
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 172.67.75.166 172.67.75.166
Source: Joe Sandbox View IP Address: 77.91.77.66 77.91.77.66
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_00409280 recv,GetProcAddress,GetModuleHandleA,GetProcAddress,WSASend, 0_2_00409280
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: db-ip.com
Source: RageMP131.exe, 0000000C.00000002.3056865794.0000000000F59000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exe
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000EFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exeOP
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exeT3EU
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/cost/go.exew9u
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000EA4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/cost/lenin.e
Source: RageMP131.exe, 0000000C.00000002.3056865794.0000000000F59000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/cost/lenin.exe
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/cost/lenin.exe/risepro
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/cost/lenin.exe0.1
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/cost/lenin.exek.com
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe.1
Source: RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe0.1
Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exe3377b
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exeB
Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exeisepro_bot
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://77.91.77.81/mine/amadka.exeisepro_botA%
Source: YnsEArPlqx.exe, 00000000.00000003.1815516370.0000000002980000.00000004.00001000.00020000.00000000.sdmp, YnsEArPlqx.exe, 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1854273690.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1854619896.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000B.00000003.1930519219.0000000002740000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3053466368.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000002.3053447329.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2009098412.0000000002840000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/L
Source: RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/V
Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3055498202.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000EC2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.333
Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33f7
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000EFF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33k
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33w
Source: RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/h
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/oV
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33
Source: RageMP131.exe, 0000000B.00000002.3055498202.0000000000C5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.338
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33H
Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33M
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C7D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: YnsEArPlqx.exe, 00000000.00000003.1815516370.0000000002980000.00000004.00001000.00020000.00000000.sdmp, YnsEArPlqx.exe, 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1854273690.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1854619896.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000B.00000003.1930519219.0000000002740000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3053466368.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000002.3053447329.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2009098412.0000000002840000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/s
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D2C000.00000004.00000020.00020000.00000000.sdmp, YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3055498202.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3055498202.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EBD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000E7C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33NA
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D2C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33P.tmp
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E45000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CEB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933668257.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056302312.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EDC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.%9
Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.h
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000C77000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3055498202.0000000000BFE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000E67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000CDE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTf
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTt
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000E67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTv
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F4E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot3ABbfQUY
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot8
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botClyf(U3
Source: RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botK:
Source: MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botlater
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000F20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botrisep
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot~
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49752 version: TLS 1.2

System Summary
barindex
PE file contains section with special chars
Source: YnsEArPlqx.exe Static PE information: section name:
Source: YnsEArPlqx.exe Static PE information: section name:
Source: YnsEArPlqx.exe Static PE information: section name:
Source: YnsEArPlqx.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_0043C960 0_2_0043C960
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_0043A928 0_2_0043A928
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_004371A0 0_2_004371A0
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_0044DA86 0_2_0044DA86
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_0044036F 0_2_0044036F
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_00458BB0 0_2_00458BB0
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_004EFC40 0_2_004EFC40
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_0042F580 0_2_0042F580
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_00452610 0_2_00452610
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_004F2FD0 0_2_004F2FD0
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_004547BF 0_2_004547BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0043C960 6_2_0043C960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0043A928 6_2_0043A928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004371A0 6_2_004371A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0044DA86 6_2_0044DA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0044036F 6_2_0044036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00458BB0 6_2_00458BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004EFC40 6_2_004EFC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0042F580 6_2_0042F580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00452610 6_2_00452610
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004F2FD0 6_2_004F2FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004547BF 6_2_004547BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0043C960 7_2_0043C960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0043A928 7_2_0043A928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_004371A0 7_2_004371A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0044DA86 7_2_0044DA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0044036F 7_2_0044036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00458BB0 7_2_00458BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_004EFC40 7_2_004EFC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0042F580 7_2_0042F580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00452610 7_2_00452610
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_004F2FD0 7_2_004F2FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_004547BF 7_2_004547BF
Found potential string decryption / allocating functions
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00434380 appears 48 times
Sample file is different than original file name gathered from version info
Source: YnsEArPlqx.exe Binary or memory string: OriginalFilename vs YnsEArPlqx.exe
Source: YnsEArPlqx.exe, 00000000.00000000.1811623951.000000000058A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamedotnet.exe6 vs YnsEArPlqx.exe
Source: YnsEArPlqx.exe, 00000000.00000002.3053550862.000000000058A000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamedotnet.exe6 vs YnsEArPlqx.exe
Source: YnsEArPlqx.exe Binary or memory string: OriginalFilenamedotnet.exe6 vs YnsEArPlqx.exe
Uses 32bit PE files
Source: YnsEArPlqx.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: YnsEArPlqx.exe Static PE information: Section: ZLIB complexity 0.9987973597852029
Source: YnsEArPlqx.exe Static PE information: Section: ZLIB complexity 0.994140625
Source: YnsEArPlqx.exe Static PE information: Section: .reloc ZLIB complexity 1.5
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9987973597852029
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.994140625
Source: RageMP131.exe.0.dr Static PE information: Section: .reloc ZLIB complexity 1.5
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9987973597852029
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.994140625
Source: MPGPH131.exe.0.dr Static PE information: Section: .reloc ZLIB complexity 1.5
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/5@3/3
Source: C:\Users\user\Desktop\YnsEArPlqx.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7536:120:WilError_03
Source: C:\Users\user\Desktop\YnsEArPlqx.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: YnsEArPlqx.exe, 00000000.00000003.1815516370.0000000002980000.00000004.00001000.00020000.00000000.sdmp, YnsEArPlqx.exe, 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1854273690.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1854619896.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000B.00000003.1930519219.0000000002740000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3053466368.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000002.3053447329.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2009098412.0000000002840000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: YnsEArPlqx.exe, 00000000.00000003.1815516370.0000000002980000.00000004.00001000.00020000.00000000.sdmp, YnsEArPlqx.exe, 00000000.00000002.3053441050.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3053548356.000000000055D000.00000002.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.1854273690.0000000002860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1854619896.0000000002840000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3053457158.000000000055D000.00000002.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000B.00000003.1930519219.0000000002740000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3053466368.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000002.3053447329.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2009098412.0000000002840000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: YnsEArPlqx.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\YnsEArPlqx.exe File read: C:\Users\user\Desktop\YnsEArPlqx.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\YnsEArPlqx.exe "C:\Users\user\Desktop\YnsEArPlqx.exe"
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll Jump to behavior
Source: YnsEArPlqx.exe Static file information: File size 3270672 > 1048576
Source: YnsEArPlqx.exe Static PE information: Raw size of .boot is bigger than: 0x100000 < 0x267000
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_004CF280
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .boot
PE file contains sections with non-standard names
Source: YnsEArPlqx.exe Static PE information: section name:
Source: YnsEArPlqx.exe Static PE information: section name:
Source: YnsEArPlqx.exe Static PE information: section name:
Source: YnsEArPlqx.exe Static PE information: section name:
Source: YnsEArPlqx.exe Static PE information: section name: .themida
Source: YnsEArPlqx.exe Static PE information: section name: .boot
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: .themida
Source: RageMP131.exe.0.dr Static PE information: section name: .boot
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: .themida
Source: MPGPH131.exe.0.dr Static PE information: section name: .boot
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_0058901C push eax; iretd 0_2_0058901D
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_006E1593 push ecx; mov dword ptr [esp], ebp 0_2_00822BC8
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_006E1593 push 57F325EEh; mov dword ptr [esp], eax 0_2_00822C06
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_006E1593 push edi; mov dword ptr [esp], ebp 0_2_00822C19
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_006E1593 push eax; mov dword ptr [esp], ecx 0_2_00822C1D
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_006E1593 push 0F00E9F4h; mov dword ptr [esp], eax 0_2_00822C7A
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_00433F59 push ecx; ret 0_2_00433F6C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006E1593 push ecx; mov dword ptr [esp], ebp 6_2_00822BC8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006E1593 push 57F325EEh; mov dword ptr [esp], eax 6_2_00822C06
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006E1593 push edi; mov dword ptr [esp], ebp 6_2_00822C19
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006E1593 push eax; mov dword ptr [esp], ecx 6_2_00822C1D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_006E1593 push 0F00E9F4h; mov dword ptr [esp], eax 6_2_00822C7A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00433F59 push ecx; ret 6_2_00433F6C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_006E1593 push ecx; mov dword ptr [esp], ebp 7_2_00822BC8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_006E1593 push 57F325EEh; mov dword ptr [esp], eax 7_2_00822C06
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_006E1593 push edi; mov dword ptr [esp], ebp 7_2_00822C19
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_006E1593 push eax; mov dword ptr [esp], ecx 7_2_00822C1D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_006E1593 push 0F00E9F4h; mov dword ptr [esp], eax 7_2_00822C7A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00433F59 push ecx; ret 7_2_00433F6C
Source: YnsEArPlqx.exe Static PE information: section name: entropy: 7.981638520890903
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.981638520890903
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.981638520890903
Drops PE files
Source: C:\Users\user\Desktop\YnsEArPlqx.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\Desktop\YnsEArPlqx.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\YnsEArPlqx.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Stalling execution: Execution stalls by calling Sleep
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\YnsEArPlqx.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\YnsEArPlqx.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (date check)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\YnsEArPlqx.exe TID: 7412 Thread sleep count: 212 > 30 Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe TID: 7624 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe TID: 7412 Thread sleep count: 313 > 30 Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe TID: 7412 Thread sleep time: -31613s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe TID: 7412 Thread sleep count: 146 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7636 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7636 Thread sleep count: 185 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7676 Thread sleep count: 38 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7636 Thread sleep count: 313 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7636 Thread sleep time: -31613s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7636 Thread sleep count: 143 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7644 Thread sleep count: 40 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7644 Thread sleep count: 184 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7672 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7644 Thread sleep count: 311 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7644 Thread sleep time: -31411s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7644 Thread sleep count: 145 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7856 Thread sleep count: 127 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7952 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7856 Thread sleep count: 317 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7856 Thread sleep time: -32017s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7856 Thread sleep count: 144 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8012 Thread sleep count: 91 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8012 Thread sleep count: 244 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8028 Thread sleep count: 35 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8012 Thread sleep count: 284 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8012 Thread sleep count: 144 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8012 Thread sleep count: 121 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError, 0_2_00431F9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00431F9C FindClose,FindFirstFileExW,GetLastError, 6_2_00431F9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00431F9C FindClose,FindFirstFileExW,GetLastError, 7_2_00431F9C
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000DCD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000EC2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}E
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000E60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&s
Source: RageMP131.exe, 0000000C.00000002.3055648642.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: RageMP131.exe, 0000000C.00000003.2035826187.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E1A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: YnsEArPlqx.exe, 00000000.00000003.1840354529.0000000000D44000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Cz
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D79000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3055578194.0000000000CBF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2933539587.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3056401980.0000000000C95000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EFF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3055648642.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: MPGPH131.exe, 00000006.00000002.3055816885.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn
Source: RageMP131.exe, 0000000B.00000003.1945525195.0000000000C61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 0000000C.00000003.2035826187.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Q
Source: YnsEArPlqx.exe, 00000000.00000002.3055663083.0000000000D2C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.3055498202.0000000000C4B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: RageMP131.exe, 0000000B.00000002.3055498202.0000000000BF0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&9
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00438A64
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_004CF280
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00438A64
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0043451D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00438A64
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_0043451D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00438A64
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_0043451D

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_004CF280
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 6_2_004CF280
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 7_2_004CF280
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: GetLocaleInfoW, 0_2_004531CA
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: EnumSystemLocalesW, 0_2_0044B1B1
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_004532F3
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_00452B5A
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: GetLocaleInfoW, 0_2_004533F9
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_004534CF
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: GetLocaleInfoW, 0_2_00452D5F
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: EnumSystemLocalesW, 0_2_00452E51
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: EnumSystemLocalesW, 0_2_00452E06
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: EnumSystemLocalesW, 0_2_00452EEC
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00452F77
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: GetLocaleInfoW, 0_2_0044B734
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_004531CA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 6_2_0044B1B1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 6_2_004532F3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 6_2_00452B5A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_004533F9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 6_2_004534CF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_00452D5F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 6_2_00452E51
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 6_2_00452E06
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 6_2_00452EEC
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 6_2_00452F77
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_0044B734
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 7_2_004531CA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 7_2_0044B1B1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 7_2_004532F3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 7_2_00452B5A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 7_2_004533F9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 7_2_004534CF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 7_2_00452D5F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 7_2_00452E51
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 7_2_00452E06
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 7_2_00452EEC
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 7_2_00452F77
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 7_2_0044B734
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Code function: 0_2_0043361D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime, 0_2_0043361D
Source: C:\Users\user\Desktop\YnsEArPlqx.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: Process Memory Space: YnsEArPlqx.exe PID: 7408, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7632, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7640, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7852, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8008, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: Process Memory Space: YnsEArPlqx.exe PID: 7408, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7632, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7640, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7852, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8008, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1460294 Sample: YnsEArPlqx.exe Startdate: 20/06/2024 Architecture: WINDOWS Score: 100 35 ipinfo.io 2->35 37 db-ip.com 2->37 45 Snort IDS alert for network traffic 2->45 47 Antivirus detection for URL or domain 2->47 49 Yara detected RisePro Stealer 2->49 51 4 other signatures 2->51 8 YnsEArPlqx.exe 1 9 2->8         started        13 MPGPH131.exe 2 2->13         started        15 RageMP131.exe 2 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 39 77.91.77.66, 49731, 49732, 49733 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 8->39 41 ipinfo.io 34.117.186.192, 443, 49742, 49743 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->41 43 db-ip.com 172.67.75.166, 443, 49746, 49747 CLOUDFLARENETUS United States 8->43 27 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->27 dropped 29 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->29 dropped 31 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 8->31 dropped 33 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 8->33 dropped 53 Query firmware table information (likely to detect VMs) 8->53 55 Found stalling execution ending in API Sleep call 8->55 57 Contains functionality to inject threads in other processes 8->57 59 Uses schtasks.exe or at.exe to add and modify task schedules 8->59 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        61 Multi AV Scanner detection for dropped file 13->61 63 Machine Learning detection for dropped file 13->63 65 Tries to detect sandboxes / dynamic malware analysis system (registry check) 13->65 file6 signatures7 process8 process9 23 conhost.exe 19->23         started        25 conhost.exe 21->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
172.67.75.166
 db-ip.com United States
13335 CLOUDFLARENETUS false
77.91.77.66
 unknown Russian Federation
42861 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU true

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
db-ip.com 172.67.75.166 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ipinfo.io/widget/demo/8.46.123.33 false
  • Avira URL Cloud: safe
 unknown
https://ipinfo.io/ false
  • URL Reputation: safe
 unknown
https://db-ip.com/demo/home.php?s=8.46.123.33 false
  • Avira URL Cloud: safe
 unknown