Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

YnsEArPlqx.exe

PE32 executable (GUI) Intel 80386, for MS Windows

initial sample

Details

Filetype:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.967404431164332
Filename:	YnsEArPlqx.exe
Filesize:	3270672
MD5:	ab8e88bff0b907fc49b949d704490018
SHA1:	559f2f2b61bd344293f7cbc78b72d8e368910ae3
SHA256:	921c5314fc334bac928a8398da1c8341b1021cf92ae83bf8b872d422f2e7ef8f
SHA512:	c2388edc661cbaaeccf2ff9a2c153b5d201cf7a2c605570eb992afa3878a0f24c96e1443713e9330833001a4d2be245e6f49f281c663118adeb76ecf7d2e41b5
SSDEEP:	98304:e5tF1/fIhf2JK5KtqWaUMrXYQjC4fbEaSNthtA:Ib4haKUt1aUWI4xfbnSHhu
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to inject threads in other processes	HIPS / PFW / Operating System Protection Evasion
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	File and Directory Discovery
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Contains functionality to check if a debugger is running (IsDebuggerPresent)	Anti Debugging
Contains functionality to dynamically determine API calls	Data Obfuscation, Anti Debugging
Contains functionality to query locales information (e.g. system language)	Language, Device and Operating System Detection	System Information Discovery
Detected potential crypto function	System Summary	Archive Collected Data Encrypted Channel
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion
May sleep (evasive loops) to hinder dynamic analysis	Malware Analysis System Evasion	Virtualization/Sandbox Evasion File and Directory Discovery
PE file contains sections with non-standard names	Data Obfuscation
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sample file is different than original file name gathered from version info	System Summary
Uses 32bit PE files	Compliance, System Summary	Masquerading
Uses code obfuscation techniques (call, push, ret)	Data Obfuscation	Obfuscated Files or Information
Binary may include packed or encrypted code	Data Obfuscation	Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary
Contains functionality to download additional files from the internet	Networking
Contains functionality to enumerate / list files inside a directory	Spreading, Malware Analysis System Evasion	File and Directory Discovery
Contains functionality to modify the execution of threads in other processes
Contains functionality to query local / system time	Language, Device and Operating System Detection	System Time Discovery
Contains functionality to register its own exception handler	Anti Debugging
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder File and Directory Discovery
Creates files inside the user directory	System Summary	Masquerading
Creates temporary files	System Summary
Queries the cryptographic machine GUID	Language, Device and Operating System Detection
Reads software policies	System Summary
SQL strings found in memory and binary data	System Summary	File and Directory Discovery
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Tries to load missing DLLs	System Summary	DLL Side-Loading
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\ProgramData\MPGPH131\MPGPH131.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\ProgramData\MPGPH131\MPGPH131.exe
Category:	dropped
Dump:	MPGPH131.exe.0.dr
ID:	dr_3
Target ID:	0
Process:	C:\Users\user\Desktop\YnsEArPlqx.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.967404431164332
Encrypted:	false
Ssdeep:	98304:e5tF1/fIhf2JK5KtqWaUMrXYQjC4fbEaSNthtA:Ib4haKUt1aUWI4xfbnSHhu
Size:	3270672
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to inject threads in other processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Machine Learning detection for dropped file	AV Detection
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier
Category:	dropped
Dump:	MPGPH131.exe_Zone.Identifier.0.dr
ID:	dr_2
Target ID:	0
Process:	C:\Users\user\Desktop\YnsEArPlqx.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Contains functionality to inject threads in other processes	HIPS / PFW / Operating System Protection Evasion	Process Injection
Found stalling execution ending in API Sleep call	Malware Analysis System Evasion
Machine Learning detection for dropped file	AV Detection
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Found decision node followed by non-executed suspicious APIs	Malware Analysis System Evasion
Found evasive API chain (date check)	Malware Analysis System Evasion	Native API
Found potential string decryption / allocating functions	System Summary	Obfuscated Files or Information Deobfuscate/Decode Files or Information
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Tries to load missing DLLs	System Summary	DLL Side-Loading
URLs found in memory or binary data	Networking

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

Details

File:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Category:	dropped
Dump:	RageMP131.exe.0.dr
ID:	dr_1
Target ID:	0
Process:	C:\Users\user\Desktop\YnsEArPlqx.exe
Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy:	7.967404431164332
Encrypted:	false
Ssdeep:	98304:e5tF1/fIhf2JK5KtqWaUMrXYQjC4fbEaSNthtA:Ib4haKUt1aUWI4xfbnSHhu
Size:	3270672
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Drops PE files	Persistence and Installation Behavior
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

ASCII text, with CRLF line terminators

dropped

Details

File:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier
Category:	dropped
Dump:	RageMP131.exe_Zone.Identifier.0.dr
ID:	dr_0
Target ID:	0
Process:	C:\Users\user\Desktop\YnsEArPlqx.exe
Type:	ASCII text, with CRLF line terminators
Entropy:	3.95006375643621
Encrypted:	false
Ssdeep:	3:ggPYV:rPYV
Size:	26
Whitelisted:	false
Reputation:	high

Signature Hits	Behavior Group	Mitre Attack
Machine Learning detection for dropped file	AV Detection
Query firmware table information (likely to detect VMs)	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Tries to detect sandboxes / dynamic malware analysis system (registry check)	Malware Analysis System Evasion	Security Software Discovery
Contains capabilities to detect virtual machines	Malware Analysis System Evasion	Security Software Discovery Virtualization/Sandbox Evasion
Queries the volume information (name, serial number etc) of a device	Language, Device and Operating System Detection	System Information Discovery
Sample execution stops while process was sleeping (likely an evasion)	Malware Analysis System Evasion
Tries to load missing DLLs	System Summary	DLL Side-Loading

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

ASCII text, with no line terminators

modified

Details

File:	C:\Users\user\AppData\Local\Temp\rage131MP.tmp
Category:	modified
Dump:	rage131MP.tmp.0.dr
ID:	dr_4
Target ID:	0
Process:	C:\Users\user\Desktop\YnsEArPlqx.exe
Type:	ASCII text, with no line terminators
Entropy:	2.8731406795131336
Encrypted:	false
Ssdeep:	3:L1VcuRn:TRRn
Size:	13
Whitelisted:	false
Reputation:	low

Signature Hits	Behavior Group	Mitre Attack
Creates temporary files	System Summary

Processes

Path

Cmdline

Malicious

C:\Users\user\Desktop\YnsEArPlqx.exe

"C:\Users\user\Desktop\YnsEArPlqx.exe"

Details

Is windows:	false
Is dropped:	false
PID:	7408
Target ID:	0
Parent PID:	2580
Name:	YnsEArPlqx.exe
Path:	C:\Users\user\Desktop\YnsEArPlqx.exe
Commandline:	"C:\Users\user\Desktop\YnsEArPlqx.exe"
Size:	3270672
MD5:	AB8E88BFF0B907FC49B949D704490018
Time:	12:57:10
Date:	20/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	8290304
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Machine Learning detection for sample	AV Detection
PE file contains section with special chars	System Summary
PE file contains sections with non-standard names	Data Obfuscation
Sample file is different than original file name gathered from version info	System Summary
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Uses 32bit PE files	Compliance, System Summary
Binary may include packed or encrypted code	Data Obfuscation	Obfuscated Files or Information Software Packing
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)	System Summary	Software Packing
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Sample reads its own file content	System Summary
Spawns processes	System Summary	Process Injection
PE file has a big raw section	System Summary
Submission file is bigger than most known malware samples	System Summary

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Details

Is windows:	true
Is dropped:	false
PID:	7528
Target ID:	2
Parent PID:	7408
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	12:57:13
Date:	20/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1c0000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Spawns processes	System Summary	Process Injection

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

Details

Is windows:	true
Is dropped:	false
PID:	7576
Target ID:	4
Parent PID:	7408
Name:	schtasks.exe
Class:	system-tools
Path:	C:\Windows\SysWOW64\schtasks.exe
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Size:	187904
MD5:	48C2FE20575769DE916F48EF0676A965
Time:	12:57:13
Date:	20/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x1c0000
Modulesize:	204800
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Spawns processes	System Summary	Process Injection

C:\ProgramData\MPGPH131\MPGPH131.exe

Details

Is windows:	false
Is dropped:	true
PID:	7632
Target ID:	6
Parent PID:	1044
Name:	MPGPH131.exe
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Size:	3270672
MD5:	AB8E88BFF0B907FC49B949D704490018
Time:	12:57:14
Date:	20/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	8290304
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\ProgramData\MPGPH131\MPGPH131.exe

Details

Is windows:	false
Is dropped:	true
PID:	7640
Target ID:	7
Parent PID:	1044
Name:	MPGPH131.exe
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Size:	3270672
MD5:	AB8E88BFF0B907FC49B949D704490018
Time:	12:57:14
Date:	20/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x400000
Modulesize:	8290304
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Uses schtasks.exe or at.exe to add and modify task schedules	Boot Survival	Scheduled Task/Job
Drops PE files	Persistence and Installation Behavior
Drops PE files to the application program directory (C:\ProgramData)	Persistence and Installation Behavior
Sample might require command line arguments	System Summary	Command and Scripting Interpreter
Spawns processes	System Summary	Process Injection
URLs found in memory or binary data	Networking

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"

Details

Is windows:	false
Is dropped:	true
PID:	7852
Target ID:	11
Parent PID:	2580
Name:	RageMP131.exe
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Size:	3270672
MD5:	AB8E88BFF0B907FC49B949D704490018
Time:	12:57:22
Date:	20/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x400000
Modulesize:	8290304
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"

Details

Is windows:	false
Is dropped:	true
PID:	8008
Target ID:	12
Parent PID:	2580
Name:	RageMP131.exe
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Size:	3270672
MD5:	AB8E88BFF0B907FC49B949D704490018
Time:	12:57:30
Date:	20/06/2024
Reason:	newprocess
Reputation:	low
Is admin:	false
Is elevated:	false
Modulebase:	0x400000
Modulesize:	8290304
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Yara detected RisePro Stealer	Stealing of Sensitive Information, Remote Access Functionality
Drops PE files	Persistence and Installation Behavior
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7536
Target ID:	3
Parent PID:	7528
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	12:57:13
Date:	20/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Windows\System32\conhost.exe

C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Details

Is windows:	true
Is dropped:	false
PID:	7584
Target ID:	5
Parent PID:	7576
Name:	conhost.exe
Path:	C:\Windows\System32\conhost.exe
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Size:	862208
MD5:	0D698AF330FD17BEE3BF90011D49251D
Time:	12:57:13
Date:	20/06/2024
Reason:	newprocess
Reputation:	high
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7699e0000
Modulesize:	892928
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

http://77.91.77.81/mine/amadka.exe

unknown

http://77.91.77.81/mine/amadka.exeisepro_bot

unknown

https://ipinfo.io:443/widget/demo/8.46.123.33

unknown

https://db-ip.com:443/demo/home.php?s=8.46.123.33M

unknown

https://t.me/RiseProSUPPORTv

unknown

http://77.91.77.81/cost/go.exe

unknown

https://t.me/RiseProSUPPORTt

unknown

http://77.91.77.81/mine/amadka.exe.1

unknown

http://77.91.77.81/mine/amadka.exe3377b

unknown

https://db-ip.com:443/demo/home.php?s=8.46.123.33H

unknown

https://db-ip.com/

unknown

https://db-ip.com/oV

unknown

https://ipinfo.io/widget/demo/8.46.123.33NA

unknown

https://t.me/RiseProSUPPORTf

unknown

http://77.91.77.81/cost/lenin.exe0.1

unknown

https://t.me/risepro

unknown

https://ipinfo.io/widget/demo/8.46.123.33P.tmp

unknown

https://ipinfo.io/widget/demo/8.46.123.33

34.117.186.192

https://ipinfo.io/s

unknown

https://db-ip.com/demo/home.php?s=8.46.123.33f7

unknown

http://77.91.77.81/cost/lenin.e

unknown

https://db-ip.com:443/demo/home.php?s=8.46.123.33

unknown

http://77.91.77.81/mine/amadka.exeB

unknown

https://db-ip.com/demo/home.php?s=8.46.123.333

unknown

https://t.me/risepro_bot8

unknown

https://db-ip.com/L

unknown

http://77.91.77.81/mine/amadka.exeisepro_botA%

unknown

http://77.91.77.81/cost/go.exeT3EU

unknown

https://t.me/risepro_botrisep

unknown

https://db-ip.com/V

unknown

https://t.me/risepro_botClyf(U3

unknown

https://t.me/risepro_bot~

unknown

https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll

unknown

https://t.me/risepro_botK:

unknown

https://t.me/RiseProSUPPORT

unknown

https://t.me/risepro_bot3ABbfQUY

unknown

http://77.91.77.81/cost/lenin.exek.com

unknown

https://ipinfo.io/Mozilla/5.0

unknown

http://77.91.77.81/cost/go.exew9u

unknown

http://77.91.77.81/cost/lenin.exe/risepro

unknown

https://db-ip.com/h

unknown

https://t.me/risepro_bot

unknown

https://t.me/risepro_botlater

unknown

https://ipinfo.io/

34.117.186.192

https://t.%9

unknown

http://77.91.77.81/mine/amadka.exe0.1

unknown

https://www.maxmind.com/en/locate-my-ip-address

unknown

http://77.91.77.81/cost/go.exeOP

unknown

http://www.winimage.com/zLibDll

unknown

https://db-ip.com/demo/home.php?s=8.46.123.33w

unknown

https://t.h

unknown

https://db-ip.com/demo/home.php?s=8.46.123.33k

unknown

https://db-ip.com/demo/home.php?s=8.46.123.33

172.67.75.166

http://77.91.77.81/cost/lenin.exe

unknown

https://db-ip.com:443/demo/home.php?s=8.46.123.338

unknown

There are 45 hidden URLs, click here to show them.

Domains

Name

Malicious

ipinfo.io

34.117.186.192

Details

Name:	ipinfo.io
IP:	34.117.186.192
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
HTTP GET or POST without a user agent	Networking
May check the online IP address of the machine	Networking	System Network Configuration Discovery
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

db-ip.com

172.67.75.166

Details

Name:	db-ip.com
IP:	172.67.75.166
TargetID:	-1
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Uses a known web browser user agent for HTTP communication	Networking	Application Layer Protocol
Downloads files from webservers via HTTP	Networking	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

77.91.77.66

unknown

Russian Federation

Details

IP:	77.91.77.66
TargetID:	0
Current Path:	C:\Users\user\Desktop\YnsEArPlqx.exe
Country:	Russian Federation
Countrycode:	RUS
ASN number:	42861
ASN name:	FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU
Private:	false

Signature Hits	Behavior Group	Mitre Attack
Snort IDS alert for network traffic	Networking
Connects to many ports of the same IP (likely port scanning)	Networking
Detected TCP or UDP traffic on non-standard ports	Networking	Non-Standard Port
Connects to IPs without corresponding DNS lookups	Networking

34.117.186.192

ipinfo.io

United States

Details

IP:	34.117.186.192
TargetID:	0
Current Path:	C:\Users\user\Desktop\YnsEArPlqx.exe
Country:	United States
Countrycode:	USA
ASN number:	139070
ASN name:	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG
Private:	false
Domain:	ipinfo.io

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

172.67.75.166

db-ip.com

United States

Details

IP:	172.67.75.166
TargetID:	0
Current Path:	C:\Users\user\Desktop\YnsEArPlqx.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	db-ip.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

RageMP131

Details

TargetID:	0
Path:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Value name:	RageMP131
Value data:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Signature Hits	Behavior Group	Mitre Attack
Sigma detected: CurrentVersion Autorun Keys Modification	System Summary
Creates an autostart registry key	Boot Survival	Registry Run Keys / Startup Folder

Memdumps

Base Address

Regiontype

Protect

Malicious

C91000

heap

page read and write

EA8000

heap

page read and write

D57000

heap

page read and write

753000

unkown

page execute and read and write

C91000

heap

page read and write

CE8000

heap

page read and write

74F000

unkown

page execute and read and write

D12000

heap

page read and write

D55000

heap

page read and write

76A000

unkown

page execute and read and write

401000

unkown

page execute read

E16000

heap

page read and write

2820000

direct allocation

page read and write

560F000

stack

page read and write

4F2E000

stack

page read and write

C48000

heap

page read and write

74F000

unkown

page execute and read and write

585000

unkown

page read and write

C70000

heap

page read and write

7BB000

unkown

page execute and read and write

D52000

heap

page read and write

4B28000

heap

page read and write

598000

unkown

page execute and read and write

782000

unkown

page execute and read and write

400000

unkown

page readonly

BFA000

heap

page read and write

C61000

heap

page read and write

2740000

direct allocation

page read and write

503E000

stack

page read and write

CDE000

heap

page read and write

C3F000

heap

page read and write

4C7E000

stack

page read and write

401000

unkown

page execute read

759000

unkown

page execute and read and write

CEE000

heap

page read and write

E0B000

heap

page read and write

EC2000

heap

page read and write

2980000

direct allocation

page read and write

5160000

remote allocation

page read and write

CF8000

heap

page read and write

564E000

stack

page read and write

776000

unkown

page execute and read and write

F50000

heap

page read and write

2840000

direct allocation

page read and write

EA0000

heap

page read and write

2740000

direct allocation

page read and write

776000

unkown

page execute and read and write

757000

unkown

page execute and read and write

55D000

unkown

page readonly

76C000

unkown

page execute and read and write

5768000

heap

page read and write

400000

unkown

page readonly

2920000

direct allocation

page read and write

2980000

direct allocation

page read and write

2980000

direct allocation

page read and write

400000

unkown

page readonly

D6D000

heap

page read and write

D68000

heap

page read and write

F59000

heap

page read and write

596000

unkown

page read and write

401000

unkown

page execute read

757000

unkown

page execute and read and write

770000

unkown

page execute and read and write

EE9000

heap

page read and write

506E000

stack

page read and write

74D000

unkown

page execute and read and write

500F000

stack

page read and write

596000

unkown

page read and write

D16000

heap

page read and write

C43000

heap

page read and write

EC8000

heap

page read and write

585000

unkown

page write copy

2840000

direct allocation

page read and write

58A000

unkown

page readonly

2B10000

heap

page read and write

759000

unkown

page execute and read and write

EBD000

heap

page read and write

1060000

heap

page read and write

4952000

heap

page read and write

E2B000

heap

page read and write

4EED000

stack

page read and write

560F000

stack

page read and write

5160000

remote allocation

page read and write

78A000

unkown

page execute and read and write

7BB000

unkown

page execute and read and write

7BB000

unkown

page execute and read and write

9B000

stack

page read and write

EFA000

heap

page read and write

DCD000

heap

page read and write

560F000

stack

page read and write

774000

unkown

page execute and read and write

C6E000

heap

page read and write

D2C000

heap

page read and write

4B3E000

stack

page read and write

782000

unkown

page execute and read and write

CAF000

heap

page read and write

E9A000

heap

page read and write

585000

unkown

page read and write

577E000

heap

page read and write

E45000

heap

page read and write

D20000

heap

page read and write

EB4000

heap

page read and write

C7D000

heap

page read and write

58A000

unkown

page readonly

C8D000

heap

page read and write

55D000

unkown

page readonly

774000

unkown

page execute and read and write

7BB000

unkown

page execute and read and write

19C000

stack

page read and write

5170000

remote allocation

page read and write

5762000

heap

page read and write

772000

unkown

page execute and read and write

2A52000

heap

page read and write

4EBE000

stack

page read and write

768000

unkown

page execute and read and write

EAA000

heap

page read and write

575F000

stack

page read and write

759000

unkown

page execute and read and write

401000

unkown

page execute read

7AE000

unkown

page execute and read and write

52B0000

remote allocation

page read and write

5765000

heap

page read and write

19C000

stack

page read and write

E1A000

heap

page read and write

4A63000

heap

page read and write

776000

unkown

page execute and read and write

DF6000

heap

page read and write

5160000

remote allocation

page read and write

401000

unkown

page execute read

598000

unkown

page execute and read and write

766000

unkown

page execute and read and write

9B000

stack

page read and write

772000

unkown

page execute and read and write

1D0000

heap

page read and write

CE0000

heap

page read and write

E5B000

heap

page read and write

BF0000

heap

page read and write

774000

unkown

page execute and read and write

C76000

heap

page read and write

55D000

unkown

page readonly

5160000

remote allocation

page read and write

76C000

unkown

page execute and read and write

E31000

heap

page read and write

CEB000

heap

page read and write

585000

unkown

page read and write

2A50000

heap

page read and write

766000

unkown

page execute and read and write

74F000

unkown

page execute and read and write

29DE000

stack

page read and write

EC0000

heap

page read and write

CBA000

heap

page read and write

4EFE000

stack

page read and write

565E000

stack

page read and write

2950000

direct allocation

page read and write

C5B000

heap

page read and write

585000

unkown

page write copy

C35000

heap

page read and write

2840000

direct allocation

page read and write

505E000

stack

page read and write

58A000

unkown

page readonly

19C000

stack

page read and write

F4C000

heap

page read and write

770000

unkown

page execute and read and write

28D0000

direct allocation

page read and write

2940000

heap

page read and write

29E0000

heap

page read and write

DCA000

heap

page read and write

78A000

unkown

page execute and read and write

550E000

stack

page read and write

C55000

heap

page read and write

D80000

direct allocation

page read and write

C41000

heap

page read and write

760000

unkown

page execute and read and write

2820000

heap

page read and write

CBF000

heap

page read and write

75E000

unkown

page execute and read and write

5760000

heap

page read and write

F20000

heap

page read and write

2840000

direct allocation

page read and write

55D000

unkown

page readonly

DA0000

direct allocation

page read and write

502F000

stack

page read and write

759000

unkown

page execute and read and write

CDF000

heap

page read and write

7B3000

unkown

page execute and read and write

EAB000

heap

page read and write

503E000

stack

page read and write

5160000

remote allocation

page read and write

980000

unkown

page execute read

589E000

stack

page read and write

E67000

heap

page read and write

CA6000

heap

page read and write

5160000

remote allocation

page read and write

751000

unkown

page execute and read and write

58A000

unkown

page readonly

782000

unkown

page execute and read and write

7B3000

unkown

page execute and read and write

D22000

heap

page read and write

EF5000

heap

page read and write

757000

unkown

page execute and read and write

5769000

heap

page read and write

4914000

heap

page read and write

2820000

heap

page read and write

564E000

stack

page read and write

759000

unkown

page execute and read and write

980000

unkown

page execute read

774000

unkown

page execute and read and write

C68000

heap

page read and write

4F1D000

stack

page read and write

751000

unkown

page execute and read and write

768000

unkown

page execute and read and write

D70000

heap

page read and write

515F000

stack

page read and write

980000

unkown

page execute read

74D000

unkown

page execute and read and write

52B0000

remote allocation

page read and write

58A000

unkown

page readonly

776000

unkown

page execute and read and write

574E000

stack

page read and write

565E000

stack

page read and write

596000

unkown

page write copy

C6D000

heap

page read and write

596000

unkown

page read and write

5160000

remote allocation

page read and write

DFB000

heap

page read and write

EBE000

heap

page read and write

EB4000

heap

page read and write

75E000

unkown

page execute and read and write

980000

unkown

page execute read

9B000

stack

page read and write

EAD000

heap

page read and write

C80000

heap

page read and write

74F000

unkown

page execute and read and write

760000

unkown

page execute and read and write

980000

unkown

page execute read

C60000

heap

page read and write

513F000

stack

page read and write

CD8000

heap

page read and write

770000

unkown

page execute and read and write

7AE000

unkown

page execute and read and write

4EBD000

stack

page read and write

4DBE000

stack

page read and write

4FFF000

stack

page read and write

E29000

heap

page read and write

76C000

unkown

page execute and read and write

D6E000

heap

page read and write

751000

unkown

page execute and read and write

C32000

heap

page read and write

7BB000

unkown

page execute and read and write

575F000

stack

page read and write

75E000

unkown

page execute and read and write

2840000

direct allocation

page read and write

400000

unkown

page readonly

E92000

heap

page read and write

19C000

stack

page read and write

BFE000

heap

page read and write

55D000

unkown

page readonly

C7E000

heap

page read and write

401000

unkown

page execute read

585000

unkown

page write copy

585000

unkown

page write copy

DC5000

heap

page read and write

751000

unkown

page execute and read and write

DC0000

heap

page read and write

776000

unkown

page execute and read and write

516F000

stack

page read and write

78A000

unkown

page execute and read and write

C8D000

heap

page read and write

295E000

stack

page read and write

400000

unkown

page readonly

4C3E000

stack

page read and write

4DBE000

stack

page read and write

DA0000

direct allocation

page read and write

7AE000

unkown

page execute and read and write

5160000

remote allocation

page read and write

1D5000

heap

page read and write

76A000

unkown

page execute and read and write

770000

unkown

page execute and read and write

513F000

stack

page read and write

52B0000

remote allocation

page read and write

585000

unkown

page read and write

4DEE000

stack

page read and write

760000

unkown

page execute and read and write

2740000

direct allocation

page read and write

EFF000

heap

page read and write

585000

unkown

page write copy

D44000

heap

page read and write

596000

unkown

page write copy

596000

unkown

page write copy

D27000

heap

page read and write

BF0000

heap

page read and write

4C3E000

stack

page read and write

768000

unkown

page execute and read and write

2840000

direct allocation

page read and write

CE2000

heap

page read and write

E60000

heap

page read and write

2B0E000

stack

page read and write

9B000

stack

page read and write

4ECD000

stack

page read and write

2840000

direct allocation

page read and write

2A59000

heap

page read and write

55D000

unkown

page readonly

401000

unkown

page execute read

E01000

heap

page read and write

598000

unkown

page execute and read and write

C95000

heap

page read and write

782000

unkown

page execute and read and write

564E000

stack

page read and write

4D7E000

stack

page read and write

76C000

unkown

page execute and read and write

58A000

unkown

page readonly

76A000

unkown

page execute and read and write

519E000

stack

page read and write

BF0000

heap

page read and write

574F000

stack

page read and write

CE3000

heap

page read and write

768000

unkown

page execute and read and write

D1C000

heap

page read and write

596000

unkown

page write copy

5170000

remote allocation

page read and write

766000

unkown

page execute and read and write

574F000

stack

page read and write

753000

unkown

page execute and read and write

E0F000

heap

page read and write

EC0000

heap

page read and write

58A000

unkown

page readonly

293E000

stack

page read and write

7B3000

unkown

page execute and read and write

D80000

heap

page read and write

576E000

heap

page read and write

78A000

unkown

page execute and read and write

598000

unkown

page execute and read and write

599F000

stack

page read and write

19C000

stack

page read and write

EF3000

heap

page read and write

D4C000

heap

page read and write

CDA000

heap

page read and write

C60000

direct allocation

page read and write

D60000

heap

page read and write

5160000

remote allocation

page read and write

28F0000

heap

page read and write

55D000

unkown

page readonly

772000

unkown

page execute and read and write

EA4000

heap

page read and write

753000

unkown

page execute and read and write

4CEE000

stack

page read and write

2820000

direct allocation

page read and write

CD2000

heap

page read and write

980000

unkown

page execute read

7AE000

unkown

page execute and read and write

C3C000

heap

page read and write

980000

unkown

page execute read

58A000

unkown

page readonly

2ACE000

stack

page read and write

EB5000

heap

page read and write

C2D000

heap

page read and write

980000

unkown

page execute read

5764000

heap

page read and write

7B3000

unkown

page execute and read and write

551E000

stack

page read and write

74D000

unkown

page execute and read and write

5170000

remote allocation

page read and write

768000

unkown

page execute and read and write

598000

unkown

page execute and read and write

760000

unkown

page execute and read and write

E7C000

heap

page read and write

D62000

heap

page read and write

596000

unkown

page write copy

5765000

heap

page read and write

55D000

unkown

page readonly

760000

unkown

page execute and read and write

9B000

stack

page read and write

D6B000

heap

page read and write

400000

unkown

page readonly

757000

unkown

page execute and read and write

D58000

heap

page read and write

299E000

stack

page read and write

529F000

stack

page read and write

550E000

stack

page read and write

CDE000

heap

page read and write

D79000

heap

page read and write

D62000

heap

page read and write

774000

unkown

page execute and read and write

753000

unkown

page execute and read and write

78A000

unkown

page execute and read and write

75E000

unkown

page execute and read and write

401000

unkown

page execute read

76A000

unkown

page execute and read and write

75E000

unkown

page execute and read and write

766000

unkown

page execute and read and write

DC0000

heap

page read and write

400000

unkown

page readonly

28B0000

heap

page read and write

D3E000

heap

page read and write

766000

unkown

page execute and read and write

C4B000

heap

page read and write

DA0000

direct allocation

page read and write

596000

unkown

page read and write

55D000

unkown

page readonly

BF0000

heap

page read and write

C59000

heap

page read and write

401000

unkown

page execute read

2980000

direct allocation

page read and write

CB6000

heap

page read and write

596000

unkown

page read and write

28C0000

heap

page read and write

D00000

heap

page read and write

4D8D000

stack

page read and write

C00000

heap

page read and write

74F000

unkown

page execute and read and write

D39000

heap

page read and write

2A40000

heap

page read and write

4DCE000

stack

page read and write

76A000

unkown

page execute and read and write

E14000

heap

page read and write

EDC000

heap

page read and write

DA0000

heap

page read and write

782000

unkown

page execute and read and write

400000

unkown

page readonly

772000

unkown

page execute and read and write

757000

unkown

page execute and read and write

D50000

heap

page read and write

58A000

unkown

page readonly

DA0000

direct allocation

page read and write

2A8E000

stack

page read and write

D61000

heap

page read and write

C77000

heap

page read and write

E97000

heap

page read and write

49F7000

heap

page read and write

401000

unkown

page execute read

2900000

direct allocation

page read and write

585000

unkown

page read and write

980000

unkown

page execute read

74D000

unkown

page execute and read and write

C40000

heap

page read and write

C76000

heap

page read and write

CB8000

heap

page read and write

76C000

unkown

page execute and read and write

772000

unkown

page execute and read and write

CD0000

heap

page read and write

561F000

stack

page read and write

4F0E000

stack

page read and write

CDE000

heap

page read and write

DEE000

heap

page read and write

2840000

direct allocation

page read and write

D29000

heap

page read and write

5760000

heap

page read and write

C95000

heap

page read and write

514F000

stack

page read and write

751000

unkown

page execute and read and write

4D7D000

stack

page read and write

C46000

heap

page read and write

55D000

unkown

page readonly

C50000

heap

page read and write

28D0000

heap

page read and write

EC5000

heap

page read and write

7B3000

unkown

page execute and read and write

2980000

direct allocation

page read and write

74D000

unkown

page execute and read and write

293E000

stack

page read and write

C85000

heap

page read and write

2860000

direct allocation

page read and write

550E000

stack

page read and write

4E1E000

stack

page read and write

400000

unkown

page readonly

F4E000

heap

page read and write

980000

unkown

page execute read

2810000

heap

page read and write

58A000

unkown

page readonly

EB1000

heap

page read and write

C00000

heap

page read and write

4FFF000

stack

page read and write

7AE000

unkown

page execute and read and write

CA1000

heap

page read and write

400000

unkown

page readonly

C87000

heap

page read and write

D0E000

heap

page read and write

CD0000

heap

page read and write

CF0000

heap

page read and write

504E000

stack

page read and write

753000

unkown

page execute and read and write

501E000

stack

page read and write

E37000

heap

page read and write

770000

unkown

page execute and read and write

C87000

heap

page read and write

4C7E000

stack

page read and write

4EFE000

stack

page read and write

4C8E000

stack

page read and write

2740000

direct allocation

page read and write

2A3E000

stack

page read and write

There are 480 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC Report
YnsEArPlqx.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOC ReportYnsEArPlqx.exe

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

IOC Report
YnsEArPlqx.exe