Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1461913
MD5:	25b65b2ba97aed1e863cd281e0362f77
SHA1:	dda86428b789ab14ef7e98c474478bd0fd0b8840
SHA256:	ee85726eda426921bea54b277c97a67a84a79897f238633abf141815ba8bf0db
Tags:	exe
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject threads in other processes

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 7488 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 25B65B2BA97AED1E863CD281E0362F77)

schtasks.exe (PID: 8092 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8140 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8148 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 2920 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7488 -s 1908 MD5: C31336C1EFC2CCB44B4326EA793040F2)

MPGPH131.exe (PID: 3488 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 25B65B2BA97AED1E863CD281E0362F77)

MPGPH131.exe (PID: 7208 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 25B65B2BA97AED1E863CD281E0362F77)

RageMP131.exe (PID: 5672 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 25B65B2BA97AED1E863CD281E0362F77)

RageMP131.exe (PID: 7520 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 25B65B2BA97AED1E863CD281E0362F77)

WerFault.exe (PID: 7900 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 1756 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\kRsLnWC8nSKO7cxBB_GPBsv.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\4ML83FcuAgQz3IZIJQZt9jp.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.3990852443.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.4140603731.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000C.00000002.4193013523.0000000005921000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000C.00000003.4115689761.000000000591E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.4141399412.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 7488	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: file.exe PID: 7488	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 5672	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7520	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7520	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 7 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 7488, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Snort Signatures

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/24/24-19:25:41.283808
SID:	2046269
Source Port:	49738
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/24/24-19:26:10.710261
SID:	2046269
Source Port:	49741
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/24/24-19:25:38.596585
SID:	2046266
Source Port:	58709
Destination Port:	49744
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/24/24-19:25:49.515462
SID:	2046267
Source Port:	58709
Destination Port:	49744
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/24/24-19:23:28.476446
SID:	2049060
Source Port:	49738
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/24/24-19:25:33.081920
SID:	2046267
Source Port:	58709
Destination Port:	49741
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/24/24-19:25:30.520801
SID:	2046266
Source Port:	58709
Destination Port:	49741
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/24/24-19:23:40.001411
SID:	2046267
Source Port:	58709
Destination Port:	49738
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 77.91.77.66

Timestamp:	06/24/24-19:25:41.518335
SID:	2046269
Source Port:	49744
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 77.91.77.66 - Destination IP: 192.168.2.4

Timestamp:	06/24/24-19:23:29.079279
SID:	2046266
Source Port:	58709
Destination Port:	49738
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://77.91.77.81/cost/go.exe	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/mine/amadka.exe338	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/lenin.exe00.1	Avira URL Cloud: Label: phishing
Source: http://77.91.77.81/cost/lenin.exe	Avira URL Cloud: Label: malware

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 55%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,

0_2_004C6B00

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49746 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_004C6000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_004E6770
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,	0_2_00493F40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	0_2_004DFF00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,	0_2_00431F9C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	0_2_00432022
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_004938D0

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49738 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49738
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49738 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49738
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49741
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49741
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49741 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 77.91.77.66:58709 -> 192.168.2.4:49744
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49744 -> 77.91.77.66:58709
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 77.91.77.66:58709 -> 192.168.2.4:49744

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9

Source: global traffic

TCP traffic: 192.168.2.4:49738 -> 77.91.77.66:58709

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 104.26.5.15 104.26.5.15
Source: Joe Sandbox View	IP Address: 77.91.77.66 77.91.77.66

Source: Joe Sandbox View

ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004C8590 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,FreeAddrInfoW,WSACleanup,FreeAddrInfoW,

0_2_004C8590

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191930891.0000000000B5C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4115654237.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/cost/go.exe
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/cost/lenin.exe
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/cost/lenin.exe00.1
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/mine/amadka.exe
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://77.91.77.81/mine/amadka.exe338
Source: Amcache.hve.15.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000000.00000003.1730186616.0000000000B60000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.4131200239.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000002.4205214510.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2549100444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4205114478.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2551685082.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2625846209.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4205140259.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2705552575.0000000002510000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4181871534.000000000055D000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/G
Source: RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
Source: RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.339
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33rHt
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33routz-
Source: file.exe, 00000000.00000002.4141399412.0000000000DF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/f
Source: RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/vR
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33
Source: file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000AF5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/I
Source: file.exe, 00000000.00000002.4141399412.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/S~
Source: file.exe, 00000000.00000003.1730186616.0000000000B60000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.4131200239.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000002.4205214510.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2549100444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4205114478.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2551685082.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2625846209.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4205140259.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2705552575.0000000002510000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4181871534.000000000055D000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: file.exe, 00000000.00000002.4141399412.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4141399412.0000000000D80000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4226656501.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4226656501.0000000000D18000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33s
Source: file.exe, 00000000.00000002.4141399412.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
Source: file.exe, 00000000.00000003.3951277540.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mG
Source: file.exe, 00000000.00000003.3951277540.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.microsoft.
Source: file.exe, 00000000.00000003.3951277540.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.microsoft..
Source: D87fZN3R3jFeplaces.sqlite.12.dr	String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.12.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.12.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: file.exe, 00000000.00000003.3949358499.0000000000C24000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947298346.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4108491697.000000000594B000.00000004.00000020.00020000.00000000.sdmp, AJtuLK1vTV6ZHistory.12.dr, 4eIBzLItYm9HHistory.12.dr, a5tnyiyBgaPrHistory.0.dr, 8NRYQ89STpI4History.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: AJtuLK1vTV6ZHistory.12.dr, 4eIBzLItYm9HHistory.12.dr, a5tnyiyBgaPrHistory.0.dr, 8NRYQ89STpI4History.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: file.exe, 00000000.00000003.3949358499.0000000000C24000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947298346.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4108491697.000000000594B000.00000004.00000020.00020000.00000000.sdmp, AJtuLK1vTV6ZHistory.12.dr, 4eIBzLItYm9HHistory.12.dr, a5tnyiyBgaPrHistory.0.dr, 8NRYQ89STpI4History.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: AJtuLK1vTV6ZHistory.12.dr, 4eIBzLItYm9HHistory.12.dr, a5tnyiyBgaPrHistory.0.dr, 8NRYQ89STpI4History.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: file.exe, 00000000.00000003.3990852443.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4141399412.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4226656501.0000000000CFE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4193013523.0000000005921000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4115689761.000000000591E000.00000004.00000020.00020000.00000000.sdmp, kRsLnWC8nSKO7cxBB_GPBsv.zip.12.dr, 4ML83FcuAgQz3IZIJQZt9jp.zip.0.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: file.exe, 00000000.00000003.3990852443.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT&
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000A87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTV
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.12.dr, passwords.txt.0.dr	String found in binary or memory: https://t.me/risepro_bot
Source: RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot.com
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botrisep
Source: RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botrisepro
Source: file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.12.dr	String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.12.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: D87fZN3R3jFeplaces.sqlite.12.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/A
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/C
Source: file.exe, 00000000.00000003.3951277540.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3990852443.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3948383069.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3948602349.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947850574.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4193013523.0000000005902000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, 3b6N2Xdh3CYwplaces.sqlite.12.dr, D87fZN3R3jFeplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.12.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/H
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/J
Source: D87fZN3R3jFeplaces.sqlite.12.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/3
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/Dragon
Source: file.exe, 00000000.00000003.3951277540.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3990852443.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3948383069.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3948602349.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947850574.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4193013523.0000000005902000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, 3b6N2Xdh3CYwplaces.sqlite.12.dr, D87fZN3R3jFeplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.12.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/r

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49739 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49743 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49746 version: TLS 1.2

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044002D	0_2_0044002D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DF030	0_2_004DF030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0049F0D0	0_2_0049F0D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004AA200	0_2_004AA200
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0049D3A0	0_2_0049D3A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004963B0	0_2_004963B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00490440	0_2_00490440
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DE430	0_2_004DE430
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053F550	0_2_0053F550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004D7600	0_2_004D7600
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004986B0	0_2_004986B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040B8E0	0_2_0040B8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00458BB0	0_2_00458BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00481C10	0_2_00481C10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004FAD00	0_2_004FAD00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00493F40	0_2_00493F40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0049AF60	0_2_0049AF60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DFF00	0_2_004DFF00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00493080	0_2_00493080
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004371A0	0_2_004371A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044036F	0_2_0044036F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A4320	0_2_004A4320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004845E0	0_2_004845E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042F580	0_2_0042F580
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A3610	0_2_004A3610
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005486C0	0_2_005486C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00547760	0_2_00547760
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E77E0	0_2_004E77E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004547BF	0_2_004547BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043C960	0_2_0043C960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043A928	0_2_0043A928
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0044DA86	0_2_0044DA86
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004EEC40	0_2_004EEC40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004EFC40	0_2_004EFC40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00534D40	0_2_00534D40

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 0041ACE0 appears 85 times

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7488 -s 1908

Source: file.exe	Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000003.3990331949.0000000004784000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
Source: file.exe, 00000000.00000002.4131454189.0000000000598000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
Source: file.exe, 00000000.00000002.4131377991.000000000058A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
Source: file.exe, 00000000.00000003.1730229244.0000000000B60000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedotnet.exe6 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamedotnet.exe6 vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9987072394590294
Source: file.exe	Static PE information: Section: ZLIB complexity 0.9943462171052632
Source: file.exe	Static PE information: Section: ZLIB complexity 0.99267578125
Source: file.exe	Static PE information: Section: ZLIB complexity 1.0023871527777777
Source: file.exe	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9987072394590294
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9943462171052632
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.99267578125
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0023871527777777
Source: RageMP131.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9987072394590294
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9943462171052632
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.99267578125
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0023871527777777
Source: MPGPH131.exe.0.dr	Static PE information: Section: .reloc ZLIB complexity 1.5

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@13/56@3/3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,

0_2_004DFF00

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7520
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8148:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7488
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8100:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000003.1730186616.0000000000B60000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.4131200239.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000002.4205214510.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2549100444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4205114478.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2551685082.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2625846209.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4205140259.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2705552575.0000000002510000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4181871534.000000000055D000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000003.1730186616.0000000000B60000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.4131200239.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000002.4205214510.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2549100444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4205114478.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2551685082.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2625846209.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4205140259.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2705552575.0000000002510000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4181871534.000000000055D000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000003.3946946939.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3946880676.0000000000C5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3946610816.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4105410117.0000000005905000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106158216.0000000005905000.00000004.00000020.00020000.00000000.sdmp, yNHsMmvixazKLogin Data For Account.12.dr, XjpAQ5NNLFgdLogin Data For Account.0.dr, 3bUDfKkYHRRCLogin Data.0.dr, g4ngTia0RD8YLogin Data.12.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

ReversingLabs: Detection: 55%

Source: file.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7488 -s 1908
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 1756
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dpapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: file.exe

Static file information: File size 5057040 > 1048576

Source: file.exe

Static PE information: Raw size of .themida is bigger than: 0x100000 < 0x41a000

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

0_2_004CF280

Source: initial sample

Static PE information: section where entry point is pointing to: .themida

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .themida
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .themida
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .themida

Source: file.exe	Static PE information: section name: entropy: 7.9785339651284515
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.9785339651284515
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.9785339651284515

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\file.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-47236

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\file.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	System information queried: FirmwareTableInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	System information queried: FirmwareTableInformation	Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-47236

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-47347

Source: C:\Users\user\Desktop\file.exe TID: 7492	Thread sleep count: 47 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7492	Thread sleep count: 95 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 8188	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7492	Thread sleep count: 173 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7492	Thread sleep count: 127 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4564	Thread sleep count: 95 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1196	Thread sleep count: 98 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1196	Thread sleep count: 54 > 30	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_004C6000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_004E6770
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree,	0_2_00493F40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	0_2_004DFF00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00431F9C FindClose,FindFirstFileExW,GetLastError,	0_2_00431F9C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	0_2_00432022
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_004938D0

Source: C:\Users\user\Desktop\file.exe

0_2_004DFF00

Source: Amcache.hve.15.dr	Binary or memory string: VMware
Source: file.exe, 00000000.00000002.4141399412.0000000000D80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: MPGPH131.exe, 0000000A.00000002.4225445070.0000000000C17000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__13N
Source: Amcache.hve.15.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4226656501.0000000000D4B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000ACF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RageMP131.exe, 0000000B.00000003.3744880885.0000000000D62000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.15.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: RageMP131.exe, 0000000C.00000003.4115654237.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}sz
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000A80000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&QI\|
Source: Amcache.hve.15.dr	Binary or memory string: vmci.sys
Source: RageMP131.exe, 0000000B.00000003.3744880885.0000000000D64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}a~
Source: RageMP131.exe, 0000000B.00000002.4226656501.0000000000CF0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000SOR_IDENTIFIER=Intel64 Family
Source: Amcache.hve.15.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.15.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.15.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.15.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.15.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.15.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.15.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.15.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.15.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.15.dr	Binary or memory string: VMware Virtual USB Mouse
Source: RageMP131.exe, 0000000B.00000002.4226656501.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: Amcache.hve.15.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.15.dr	Binary or memory string: VMware, Inc.
Source: RageMP131.exe, 0000000C.00000003.3825714540.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.15.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.15.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.15.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000000.00000002.4140528595.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}iles\fqs92o4p.default-release\signons.sqlite-journal;8
Source: Amcache.hve.15.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RageMP131.exe, 0000000C.00000003.4115654237.0000000000B59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/7rrP9UK+nYJkDUaruLFsmiax3GAXC2Igj63N1koqBHsy38rIIvg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*}
Source: file.exe, 00000000.00000002.4141399412.0000000000D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&#
Source: Amcache.hve.15.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.15.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.15.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: RageMP131.exe, 0000000C.00000003.3825714540.0000000000AE8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}sH\|
Source: Amcache.hve.15.dr	Binary or memory string: vmci.syshbin`
Source: MPGPH131.exe, 00000009.00000002.4226302910.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__m
Source: Amcache.hve.15.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.15.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MPGPH131.exe, 00000009.00000002.4226115563.0000000000B75000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4225147379.0000000000A85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: RageMP131.exe, 0000000C.00000002.4193013523.0000000005902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}es=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsww
Source: Amcache.hve.15.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: file.exe, 00000000.00000003.3958447503.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Cs
Source: file.exe, 00000000.00000002.4140528595.0000000000BB0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J6HEdjEHUub5EtqTQ2dk3wwrCNfruTWZeEqONRrqgXAW0ke6pZXg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*.br,w
Source: RageMP131.exe, 0000000C.00000002.4193013523.0000000005932000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4E00BE1E
Source: RageMP131.exe, 0000000B.00000002.4226656501.0000000000D18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00438A64

Source: C:\Users\user\Desktop\file.exe

0_2_004CF280

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004C6D80 mov eax, dword ptr fs:[00000030h]		0_2_004C6D80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00493F40 mov eax, dword ptr fs:[00000030h]		0_2_00493F40

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004E9A70 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,

0_2_004E9A70

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_0043451D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00438A64

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\file.exe

0_2_004CF280

Source: C:\Users\user\Desktop\file.exe	Code function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	0_2_004DFF00
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004531CA
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_0044B1B1
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_004532F3
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004533F9
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_004534CF
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0044B734
Source: C:\Users\user\Desktop\file.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00452B5A
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00452D5F

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_004DFF00

Source: C:\Users\user\Desktop\file.exe

0_2_004DFF00

Source: C:\Users\user\Desktop\file.exe

0_2_004DFF00

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.15.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.15.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 00000000.00000003.3990852443.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4140603731.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4193013523.0000000005921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.4115689761.000000000591E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4141399412.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 5672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7520, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\kRsLnWC8nSKO7cxBB_GPBsv.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4ML83FcuAgQz3IZIJQZt9jp.zip, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000002.4141399412.0000000000DF3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\walletsYMu
Source: file.exe, 00000000.00000003.3956116798.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: file.exe, 00000000.00000003.3956116798.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Jaxx\Local Storage*7
Source: file.exe, 00000000.00000003.3956116798.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe, 00000000.00000002.4141399412.0000000000D8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: file.exe, 00000000.00000003.3956116798.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe, 00000000.00000003.3956116798.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.jsonP
Source: file.exe, 00000000.00000002.4141399412.0000000000D8C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: file.exe, 00000000.00000003.3956116798.0000000000C5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletses
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000A87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7520, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 00000000.00000003.3990852443.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4140603731.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.4193013523.0000000005921000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.4115689761.000000000591E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4141399412.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7488, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 5672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7520, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\kRsLnWC8nSKO7cxBB_GPBsv.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\4ML83FcuAgQz3IZIJQZt9jp.zip, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	2 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	2 Software Packing	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	35 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	351 Security Software Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	13 Virtualization/Sandbox Evasion	Cached Domain Credentials	13 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Network Configuration Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	55%	ReversingLabs	Win32.Trojan.RiseProStealer
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	55%	ReversingLabs	Win32.Trojan.RiseProStealer
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	55%	ReversingLabs	Win32.Trojan.RiseProStealer

Source	Detection	Scanner	Label
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ipinfo.io/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
https://db-ip.com/demo/home.php?s=8.46.123.33routz-	0%	Avira URL Cloud	safe
https://duckduckgo.com/ac/?q=	0%	Avira URL Cloud	safe
https://duckduckgo.com/chrome_newtab	0%	Avira URL Cloud	safe
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	0%	Avira URL Cloud	safe
https://ipinfo.io:443/widget/demo/8.46.123.33	0%	Avira URL Cloud	safe
http://77.91.77.81/cost/go.exe	100%	Avira URL Cloud	phishing
https://db-ip.com/	0%	Avira URL Cloud	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	0%	Avira URL Cloud	safe
https://support.microsoft..	0%	Avira URL Cloud	safe
http://77.91.77.81/mine/amadka.exe	100%	Avira URL Cloud	phishing
https://t.me/risepro_bot.com	0%	Avira URL Cloud	safe
https://support.mG	0%	Avira URL Cloud	safe
https://db-ip.com:443/demo/home.php?s=8.46.123.33	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.33	0%	Avira URL Cloud	safe
https://t.me/risepro_botrisepro	0%	Avira URL Cloud	safe
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORTV	0%	Avira URL Cloud	safe
https://db-ip.com/vR	0%	Avira URL Cloud	safe
https://db-ip.com/G	0%	Avira URL Cloud	safe
https://db-ip.com/demo/home.php?s=8.46.123.339	0%	Avira URL Cloud	safe
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	0%	Avira URL Cloud	safe
http://77.91.77.81/mine/amadka.exe338	100%	Avira URL Cloud	phishing
https://support.microsoft.	0%	Avira URL Cloud	safe
https://t.me/risepro_botrisep	0%	Avira URL Cloud	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	Avira URL Cloud	safe
https://ipinfo.io/I	0%	Avira URL Cloud	safe
https://ipinfo.io/S~	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.33s	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT&	0%	Avira URL Cloud	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	0%	Avira URL Cloud	safe
https://db-ip.com/demo/home.php?s=8.46.123.33rHt	0%	Avira URL Cloud	safe
https://ipinfo.io/Mozilla/5.0	0%	Avira URL Cloud	safe
https://db-ip.com/f	0%	Avira URL Cloud	safe
http://77.91.77.81/cost/lenin.exe00.1	100%	Avira URL Cloud	phishing
https://t.me/risepro_bot	0%	Avira URL Cloud	safe
https://www.maxmind.com/en/locate-my-ip-address	0%	Avira URL Cloud	safe
https://support.mozilla.org	0%	Avira URL Cloud	safe
http://www.winimage.com/zLibDll	0%	Avira URL Cloud	safe
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	0%	Avira URL Cloud	safe
https://db-ip.com/demo/home.php?s=8.46.123.33	0%	Avira URL Cloud	safe
http://77.91.77.81/cost/lenin.exe	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.186.192	true	false		unknown
db-ip.com	104.26.5.15	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/widget/demo/8.46.123.33	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/	false	URL Reputation: safe	unknown
https://db-ip.com/demo/home.php?s=8.46.123.33	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://77.91.77.81/mine/amadka.exe	file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	false	Avira URL Cloud: safe	unknown
https://ipinfo.io:443/widget/demo/8.46.123.33	file.exe, 00000000.00000002.4141399412.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	D87fZN3R3jFeplaces.sqlite.12.dr	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	false	Avira URL Cloud: safe	unknown
http://77.91.77.81/cost/go.exe	file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191930891.0000000000B5C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4115654237.0000000000B59000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://db-ip.com/demo/home.php?s=8.46.123.33routz-	RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com/	RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	file.exe, 00000000.00000003.3949358499.0000000000C24000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947298346.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4108491697.000000000594B000.00000004.00000020.00020000.00000000.sdmp, AJtuLK1vTV6ZHistory.12.dr, 4eIBzLItYm9HHistory.12.dr, a5tnyiyBgaPrHistory.0.dr, 8NRYQ89STpI4History.0.dr	false	Avira URL Cloud: safe	unknown
https://support.microsoft..	file.exe, 00000000.00000003.3951277540.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_bot.com	RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORTV	RageMP131.exe, 0000000C.00000002.4191309769.0000000000A87000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com/demo/home.php?s=8.46.123.339	RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	AJtuLK1vTV6ZHistory.12.dr, 4eIBzLItYm9HHistory.12.dr, a5tnyiyBgaPrHistory.0.dr, 8NRYQ89STpI4History.0.dr	false	Avira URL Cloud: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	false	URL Reputation: safe	unknown
https://support.mG	file.exe, 00000000.00000003.3951277540.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com:443/demo/home.php?s=8.46.123.33	file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_botrisepro	RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com/vR	RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com/G	RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	false	Avira URL Cloud: safe	unknown
https://support.microsoft.	file.exe, 00000000.00000003.3951277540.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_botrisep	file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://77.91.77.81/mine/amadka.exe338	file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	file.exe, 00000000.00000003.1730186616.0000000000B60000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.4131200239.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000002.4205214510.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2549100444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4205114478.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2551685082.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2625846209.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4205140259.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2705552575.0000000002510000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4181871534.000000000055D000.00000002.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/I	RageMP131.exe, 0000000C.00000002.4191309769.0000000000AF5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.15.dr	false	URL Reputation: safe	unknown
https://ipinfo.io/S~	RageMP131.exe, 0000000C.00000002.4191309769.0000000000ABF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/widget/demo/8.46.123.33s	RageMP131.exe, 0000000C.00000002.4191309769.0000000000ADD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORT	file.exe, 00000000.00000003.3990852443.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4141399412.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4226656501.0000000000CFE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000A87000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4193013523.0000000005921000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4115689761.000000000591E000.00000004.00000020.00020000.00000000.sdmp, kRsLnWC8nSKO7cxBB_GPBsv.zip.12.dr, 4ML83FcuAgQz3IZIJQZt9jp.zip.0.dr	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORT&	file.exe, 00000000.00000003.3990852443.0000000000BED000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	file.exe, 00000000.00000003.3949358499.0000000000C24000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947298346.0000000000C04000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4108491697.000000000594B000.00000004.00000020.00020000.00000000.sdmp, AJtuLK1vTV6ZHistory.12.dr, 4eIBzLItYm9HHistory.12.dr, a5tnyiyBgaPrHistory.0.dr, 8NRYQ89STpI4History.0.dr	false	Avira URL Cloud: safe	unknown
https://db-ip.com/demo/home.php?s=8.46.123.33rHt	RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	false	URL Reputation: safe	unknown
https://ipinfo.io/Mozilla/5.0	file.exe, 00000000.00000002.4141399412.0000000000DA5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4226656501.0000000000D7B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000AFB000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	D87fZN3R3jFeplaces.sqlite.12.dr	false	URL Reputation: safe	unknown
https://db-ip.com/f	file.exe, 00000000.00000002.4141399412.0000000000DF3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	false	URL Reputation: safe	unknown
https://t.me/risepro_bot	RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.12.dr, passwords.txt.0.dr	false	Avira URL Cloud: safe	unknown
http://77.91.77.81/cost/lenin.exe00.1	file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
https://www.maxmind.com/en/locate-my-ip-address	file.exe, MPGPH131.exe	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	file.exe, 00000000.00000003.1730186616.0000000000B60000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.4131200239.000000000055D000.00000002.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000002.4205214510.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000009.00000003.2549100444.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4205114478.000000000055E000.00000002.00000001.01000000.00000005.sdmp, MPGPH131.exe, 0000000A.00000003.2551685082.0000000000B80000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000003.2625846209.0000000000CB0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000B.00000002.4205140259.000000000055D000.00000002.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2705552575.0000000002510000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4181871534.000000000055D000.00000002.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
https://support.mozilla.org	D87fZN3R3jFeplaces.sqlite.12.dr	false	Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	AJtuLK1vTV6ZHistory.12.dr, 4eIBzLItYm9HHistory.12.dr, a5tnyiyBgaPrHistory.0.dr, 8NRYQ89STpI4History.0.dr	false	Avira URL Cloud: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000003.3947663706.0000000000C34000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3947011691.0000000000C16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3949818251.0000000000C8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4106815279.000000000595B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.4109506040.000000000595D000.00000004.00000020.00020000.00000000.sdmp, upMh8m2QDC4CWeb Data.12.dr, ppsBGe_ameh5Web Data.0.dr, 3mMkeKh4moOvWeb Data.12.dr, S527AOHrZ0lnWeb Data.12.dr, n7RBCXlydKsaWeb Data.0.dr, dm6xJuVPfU3TWeb Data.0.dr	false	URL Reputation: safe	unknown
http://77.91.77.81/cost/lenin.exe	file.exe, 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
104.26.5.15	db-ip.com	United States	13335	CLOUDFLARENETUS	false
77.91.77.66	unknown	Russian Federation	42861	FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1461913
Start date and time:	2024-06-24 19:21:10 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@13/56@3/3
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 64% Number of executed functions: 44 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target MPGPH131.exe, PID 3488 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Simulations

Behavior and APIs

Time	Type	Description
13:26:06	API Interceptor	2x Sleep call for process: WerFault.exe modified
18:23:27	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
18:23:28	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
18:23:28	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
18:23:36	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.186.192	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	SecuriteInfo.com.Win32.Evo-gen.24318.16217.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win32.Evo-gen.28489.31883.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Raptor.HardwareService.Setup 1.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	w.sh	Get hash	malicious	Xmrig	Browse	/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
104.26.5.15	SecuriteInfo.com.Win64.Evo-gen.17494.7440.exe	Get hash	malicious	Unknown	Browse	api.db-ip.com/v2/free/127.0.0.1
	Nemty.exe	Get hash	malicious	Nemty	Browse	api.db-ip.com/v2/free/84.17.52.2/countryName
	227.exe	Get hash	malicious	Nemty	Browse	api.db-ip.com/v2/free/102.129.143.40/countryName
77.91.77.66	90ZF1EDs9h.exe	Get hash	malicious	RisePro Stealer	Browse
	Ke5ufWcgxp.exe	Get hash	malicious	RisePro Stealer	Browse
	BqqQh4Jr7L.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	plTAoSCew2.exe	Get hash	malicious	RisePro Stealer	Browse
	7rA1iX60wh.exe	Get hash	malicious	RisePro Stealer	Browse
	PNO3otPYOa.exe	Get hash	malicious	RisePro Stealer	Browse
	YnsEArPlqx.exe	Get hash	malicious	RisePro Stealer	Browse
	AlCsIOd0pd.exe	Get hash	malicious	RisePro Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	http://telegravm.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrarl.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegraem.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrema.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrram.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrmaw.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrnal.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrma.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegtsan.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	90ZF1EDs9h.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
db-ip.com	http://luxury-sherbet-tk1111-10e1b5.netlify.app/form.html	Get hash	malicious	Unknown	Browse	172.67.75.166
	https://le-2vr.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse	104.26.5.15
	https://e23-c5p.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse	104.26.5.15
	https://ml5-94x.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse	104.26.5.15
	https://cn10.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse	172.67.75.166
	https://verify-infraction-messages.netlify.app/appeal_case_id_561597519/	Get hash	malicious	Unknown	Browse	104.26.5.15
	90ZF1EDs9h.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	BqqQh4Jr7L.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
	http://feedbackreview-id0284892389423.d1o0pnrgaue9g2.amplifyapp.com/index.html	Get hash	malicious	Unknown	Browse	104.26.4.15

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	hsRju5CPK2.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, zgRAT	Browse	77.91.77.81
	setup.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer	Browse	77.91.77.81
	90ZF1EDs9h.exe	Get hash	malicious	RisePro Stealer	Browse	77.91.77.66
	setup.exe	Get hash	malicious	Amadey	Browse	77.91.77.81
	mCTacyNuyM.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, LummaC Stealer, Monster Stealer, PureLog Stealer, RedLine	Browse	77.91.77.81
	Ke5ufWcgxp.exe	Get hash	malicious	RisePro Stealer	Browse	77.91.77.66
	yWny5Jds8b.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, RedLine	Browse	77.91.77.81
	file.exe	Get hash	malicious	LummaC, Python Stealer, Amadey, Monster Stealer, PureLog Stealer, RedLine, SmokeLoader	Browse	77.91.77.81
	BqqQh4Jr7L.exe	Get hash	malicious	RisePro Stealer	Browse	77.91.77.66
	file.exe	Get hash	malicious	RisePro Stealer	Browse	77.91.77.66
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	http://telegravm.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrarl.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegraem.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrema.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrram.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrmaw.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrnal.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrma.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegtsan.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	90ZF1EDs9h.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
CLOUDFLARENETUS	division.exe	Get hash	malicious	Blank Grabber	Browse	162.159.137.232
	phish_alert_iocp_v1.4.48 (60).eml	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://sharingfile.mirbrth.click/fileshare/index.html	Get hash	malicious	HTMLPhisher	Browse	104.18.11.207
	file.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	188.114.96.3
	https://forms.promo-pharmacies.gr/6659c45ccdd608959f27a5c2	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://okta.coterra.com/enduser/report-suspicious-activity?i=eyJ6aXAiOiJERUYiLCJ2ZXIiOiIxIiwiZW5jIjoiQTI1NkdDTSIsImFsZyI6ImRpciJ9..oAwOZgaFj5J-DZXW.ofKE-ABdk34n4JIsq0KY2CCVK3lfuD4l1ta3yMD14ckRHKBwUJxrGHiZFT9C4njSsFvnWQ_hghpTov3QKqmRQP0hYVwlZSDNfSGuVzH_6vlWNswC_asd1s71JaXniZ-XQJl0zyVHWIe1ix1f7AMzS2H2SSJjWdVUKOvF1c7qpLjoBRMOLzUjxV7eKJB_D1wohy9vsirL3CVZJMqcmQ.VGaKzEODnxMjVBC5uqGP7w	Get hash	malicious	Unknown	Browse	1.1.1.1
	loading advice..exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	https://www.ocenit.cl/ocenit.html	Get hash	malicious	Unknown	Browse	188.114.97.3
	2MbHBiqXH2.rtf	Get hash	malicious	RedLine	Browse	172.67.162.95
	Invoice LGMSCH0040924 Paid - EFT Remittance Advice and Receipt.docx.doc	Get hash	malicious	RedLine	Browse	104.21.74.191

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	file.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	104.26.5.15 34.117.186.192
	PDRI-Industrial_v5-1-3.xlsm	Get hash	malicious	Unknown	Browse	104.26.5.15 34.117.186.192
	https://dl.dropboxusercontent.com/scl/fi/ssrtsruwybdh9nryde8cy/doc09194992304029942.zip?rlkey=7ohjqlkztcaq70mg47cinafu3&st=h88qnqqw&dl=0	Get hash	malicious	Unknown	Browse	104.26.5.15 34.117.186.192
	P47qLDsX4K.exe	Get hash	malicious	LummaC	Browse	104.26.5.15 34.117.186.192
	u8m4hip9Ca.exe	Get hash	malicious	LummaC	Browse	104.26.5.15 34.117.186.192
	congratulations.xlsm	Get hash	malicious	Hidden Macro 4.0	Browse	104.26.5.15 34.117.186.192
	Form_Ver-00-26-49.js	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	104.26.5.15 34.117.186.192
	hsRju5CPK2.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, zgRAT	Browse	104.26.5.15 34.117.186.192
	vpn.msi	Get hash	malicious	Bazar Loader, BruteRatel, Latrodectus	Browse	104.26.5.15 34.117.186.192
	setup.exe	Get hash	malicious	LummaC	Browse	104.26.5.15 34.117.186.192

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5057040
Entropy (8bit):	6.629709258645384
Encrypted:	false
SSDEEP:	98304:iJAHOSoYGjhqYAcUJ6oyJ/jw0QtlCZWQ/SeSjWrOl0:3HvosT4//ZWQ/SeSjWrU0
MD5:	25B65B2BA97AED1E863CD281E0362F77
SHA1:	DDA86428B789AB14EF7E98C474478BD0FD0B8840
SHA-256:	EE85726EDA426921BEA54B277C97A67A84A79897F238633ABF141815BA8BF0DB
SHA-512:	3751F504AD14229E2A05E7F0DFBBCBFF1650684437B0FD016E06C6556AB00556AC58F78C2F75DDD20E57902B1E959D2EC2B749C73D01F99B9941881109B085ED
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 55%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y...s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....\|......Y.............@..........................P[......IM......................................a..........8....................@[..............................p...............................6..@................... ........................... ..` 2~..........................@..@ 0I...P......................@... 8...........................@..@ X........r..................@..B.idata.......`.......l..............@....tls.........p.......p...................rsrc................r..............@..@.themida..A.......A.................`....reloc.......@[......M................@................................................................

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0486395954529004
Encrypted:	false
SSDEEP:	192:UcXZH5L0RLIn3j/ZrUUJcUzuiFUZ24IO8+:XXZH5YRLIn3jKUzuiFUY4IO8+
MD5:	B77087D1C425FA643906A83C4A4826E4
SHA1:	7198783E90DC16A0002CD296CD9B605A382964B4
SHA-256:	C34C25133F5719C49BA8FD6EF223B2571C09DC5904771CFA6D84DC36560626BA
SHA-512:	FDDCD04F401D3180B174BE1AD15A9529FCF6069AD0600AE896EF1F967A715EC7A4EB4B3009315FD3D92D6264B2BB53B1E5B77C1735AF76E89E4533DBD01FF83F
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.7.2.3.5.6.8.8.8.9.7.1.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.7.2.3.5.6.9.5.7.7.2.1.8.2.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.e.e.f.7.8.e.7.-.d.3.3.4.-.4.a.f.e.-.9.6.8.6.-.3.0.c.8.6.7.c.c.e.4.f.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.a.d.7.a.4.2.5.-.f.6.d.8.-.4.e.7.0.-.9.2.8.2.-.b.2.1.5.1.5.d.1.6.1.c.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.a.g.e.M.P.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.d.o.t.n.e.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.6.0.-.0.0.0.1.-.0.0.1.4.-.0.2.4.c.-.b.3.4.3.5.b.c.6.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.5.1.a.4.3.5.a.e.9.1.a.7.4.f.b.4.a.6.8.7.3.2.6.5.f.3.a.4.9.d.2.7.0.0.0.0.0.9.0.4.!.0.0.0.0.d.d.a.8.6.4.2.8.b.7.8.9.a.b.1.4.e.f.7.e.9.8.c.4.7.4.4.7.8.b.d.0.f.d.0.b.8.8.

Entrypoint:	0x6ef659
Entrypoint Section:	.themida
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x664C6914 [Tue May 21 09:27:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	63814aaf116ba6abb6496ce4bcad24c6

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x19618b	0x184	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x198000	0x1638	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5b4000	0x10	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x197018	0x18	.tls
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x18369c	0x40
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x15bbc8	0x9d200	ad7381d8e49bae8845ffe03c37810030	False	0.9987072394590294	data	7.9785339651284515	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
	0x15d000	0x27e32	0x10a00	75352b75261c4ba16ef9a61a4cea2f6d	False	0.9943462171052632	data	7.953140468359685	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x185000	0x4930	0x800	d83c413edd4ad252444118e5b4ce61fe	False	0.99267578125	data	7.783166409897431	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x18a000	0x1638	0x1200	70ede1f87d7150a93e4c41c0b5943ed0	False	1.0023871527777777	data	7.922979958787149	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x18c000	0x9858	0x7200	07fb0d1bf1ccc89414a302f0ac6b9a52	False	0.9772135416666666	data	7.922926033739588	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.idata	0x196000	0x1000	0x400	1b20e07443fa333ff9692026d1e6c6c2	False	0.3984375	data	3.42439969016873	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x197000	0x1000	0x200	54a50a058e0f3b6aa2fe1b22e2033106	False	0.056640625	data	0.18120187678200297	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x198000	0x1800	0x1800	8c07c632d33dfa924f509b4c1a411b46	False	0.7236328125	data	6.542260883235457	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.themida	0x19a000	0x41a000	0x41a000	2d6675b5da9332ca6ec1b6e9f3fd0bca	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x5b4000	0x1000	0x10	f5bc99b71bad9e8a775cc32747e3ca58	False	1.5	GLS_BINARY_LSB_FIRST	2.474601752714581	IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x198100	0x1060	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia	0.8838263358778626
RT_GROUP_ICON	0x199170	0x14	data	Russian	Russia	1.05
RT_VERSION	0x199194	0x310	data	Russian	Russia	0.45408163265306123
RT_MANIFEST	0x1994b4	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

DLL	Import
kernel32.dll	GetModuleHandleA
USER32.dll	wsprintfA
GDI32.dll	CreateCompatibleBitmap
ADVAPI32.dll	RegQueryValueExA
SHELL32.dll	ShellExecuteA
ole32.dll	CoInitialize
WS2_32.dll	WSAStartup
CRYPT32.dll	CryptUnprotectData
SHLWAPI.dll	PathFindExtensionA
gdiplus.dll	GdipGetImageEncoders
SETUPAPI.dll	SetupDiEnumDeviceInfo
ntdll.dll	RtlUnicodeStringToAnsiString
RstrtMgr.DLL	RmStartSession

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 24, 2024 19:23:40.068439960 CEST	58597	53	192.168.2.4	1.1.1.1
Jun 24, 2024 19:23:40.078404903 CEST	53	58597	1.1.1.1	192.168.2.4
Jun 24, 2024 19:23:40.777746916 CEST	52838	53	192.168.2.4	1.1.1.1
Jun 24, 2024 19:23:40.790668011 CEST	53	52838	1.1.1.1	192.168.2.4
Jun 24, 2024 19:25:33.151926041 CEST	51576	53	192.168.2.4	1.1.1.1
Jun 24, 2024 19:25:33.159744024 CEST	53	51576	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
2024-06-24 17:22:01 UTC	59	OUT	GET / HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
2024-06-24 17:22:01 UTC	513	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Mon, 24 Jun 2024 17:22:01 GMT content-type: application/json; charset=utf-8 Content-Length: 319 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-24 17:22:01 UTC	319	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "

Timestamp	Bytes transferred	Direction	Data
2024-06-24 17:23:40 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-24 17:23:40 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Mon, 24 Jun 2024 17:23:40 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-24 17:23:40 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-24 17:23:40 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Timestamp	Bytes transferred	Direction	Data
2024-06-24 17:23:41 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-24 17:23:41 UTC	655	IN	HTTP/1.1 200 OK Date: Mon, 24 Jun 2024 17:23:41 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC466F80:C56A_93878F2E:0050_6679AB9D_158CF91D:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n4UP2mB05B90bF4Zll%2FWRXZ7VB6uX0ytJgAtUQF5MsUsPm9KT7F93iZ2h9K5QE6zx3RADztF4mTdjhvsWCZ6lTQPl%2BcJOo%2Fh4HNHBBhOclWQrhuXVW1EisI2rA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 898e68377842c466-EWR alt-svc: h3=":443"; ma=86400
2024-06-24 17:23:41 UTC	673	IN	Data Raw: 32 39 61 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a 5b Data Ascii: 29a{"status":"ok","demoInfo":{"ipAddress":"8.46.123.33","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":[
2024-06-24 17:23:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-06-24 17:25:33 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-24 17:25:33 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Mon, 24 Jun 2024 17:25:33 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-24 17:25:33 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-24 17:25:33 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Timestamp	Bytes transferred	Direction	Data
2024-06-24 17:25:34 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-24 17:25:34 UTC	665	IN	HTTP/1.1 200 OK Date: Mon, 24 Jun 2024 17:25:34 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC467271:7AE8_93878F2E:0050_6679AC0E_1579CA8C:7B63 x-iplb-instance: 59128 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1Gpx%2F2VsgW4OF555umUteF0xs%2BLW6l%2BACZQ3ZTjl0gXc0vZj6sEPjPKbtZsx4b9BYgrhsv3xbKx%2BStnuxk9pe3%2BwRnTZqAw7xyCF%2FAhnk%2FH9mALVuF7%2BzCuMOA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 898e6afa09db7cf3-EWR alt-svc: h3=":443"; ma=86400
2024-06-24 17:25:34 UTC	673	IN	Data Raw: 32 39 61 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a 5b Data Ascii: 29a{"status":"ok","demoInfo":{"ipAddress":"8.46.123.33","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":[
2024-06-24 17:25:34 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-06-24 17:25:50 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-24 17:25:50 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Mon, 24 Jun 2024 17:25:50 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-24 17:25:50 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-24 17:25:50 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Timestamp	Bytes transferred	Direction	Data
2024-06-24 17:25:51 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-24 17:25:51 UTC	651	IN	HTTP/1.1 200 OK Date: Mon, 24 Jun 2024 17:25:51 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: A29E9B92:9A9C_93878F2E:0050_6679AC1F_158D0CB5:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bMysqy0GqfiLjDqR6Z89plRBJ9eohBP85LG7DGHGasrHgLwRUolFyc6JibJ0FxG2JGAvA1aP59zmIaVRWkfgyQno89pd%2FQuDcc8KNXz3igrLdpCgNUi01Ef7pA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 898e6b62ecd043b5-EWR alt-svc: h3=":443"; ma=86400
2024-06-24 17:25:51 UTC	673	IN	Data Raw: 32 39 61 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a 5b Data Ascii: 29a{"status":"ok","demoInfo":{"ipAddress":"8.46.123.33","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":[
2024-06-24 17:25:51 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	13:22:06
Start date:	24/06/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x400000
File size:	5'057'040 bytes
MD5 hash:	25B65B2BA97AED1E863CD281E0362F77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.3990852443.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.4140603731.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.4141399412.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.4141399412.0000000000DBE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	5
Start time:	13:23:26
Start date:	24/06/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0x7f0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	9
Start time:	13:23:28
Start date:	24/06/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x400000
File size:	5'057'040 bytes
MD5 hash:	25B65B2BA97AED1E863CD281E0362F77
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	11
Start time:	13:23:36
Start date:	24/06/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x400000
File size:	5'057'040 bytes
MD5 hash:	25B65B2BA97AED1E863CD281E0362F77
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	false

Target ID:	12
Start time:	13:23:44
Start date:	24/06/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x400000
File size:	5'057'040 bytes
MD5 hash:	25B65B2BA97AED1E863CD281E0362F77
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000C.00000002.4193013523.0000000005921000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000C.00000003.4115689761.000000000591E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.4191309769.0000000000B08000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	15
Start time:	13:25:53
Start date:	24/06/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7488 -s 1908
Imagebase:	0xbf0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_c64587a9515af7bb2f60a6bd1524624be94ab9f_2a26eb84_ceef78e7-d334-4afe-9686-30c867cce4ff\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_1c77ce1ec0b3d89a6dd55c51bfa436d4dea36c5e_2b1844b5_9cb15825-2a12-4239-bf22-cbc4e7a97685\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER635B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6465.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER6503.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9F1C.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9FC8.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA056.tmp.xml

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\4ML83FcuAgQz3IZIJQZt9jp.zip

C:\Users\user\AppData\Local\Temp\kRsLnWC8nSKO7cxBB_GPBsv.zip

Windows Analysis Report
file.exe

Target ID:	18
Start time:	13:26:08
Start date:	24/06/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7520 -s 1756
Imagebase:	0xbf0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Execution Coverage:	26%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	48.4%
Total number of Nodes:	2000
Total number of Limit Nodes:	71

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre