Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1436950
MD5: 51014f1c86736d8f91d432548062ebbf
SHA1: 6d0bab0a443ff43c293f57dface65dfea47501a9
SHA256: 1845d2a25b628c6ff5e489f83ff975a0c8140bbeeb8ea05f5404a45ee2f9c7ea
Tags: exe
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://147.45.47.102:57893/hera/amadka.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://147.45.47.102:57893/hera/amadka.exe Virustotal: Detection: 19% Perma Link
Source: http://193.233.132.56/cost/lenin.exesepro Virustotal: Detection: 21% Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exe68.0 Virustotal: Detection: 15% Perma Link
Source: http://193.233.132.56/cost/go.exe00.1 Virustotal: Detection: 18% Perma Link
Source: http://193.233.132.56/cost/go.exe Virustotal: Detection: 25% Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exeN Virustotal: Detection: 18% Perma Link
Source: http://193.233.132.56/cost/lenin.exe Virustotal: Detection: 26% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 39%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Virustotal: Detection: 39% Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Virustotal: Detection: 39% Perma Link
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 38% Perma Link
Source: file.exe ReversingLabs: Detection: 39%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01036A80 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree, 0_2_01036A80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003A6A80 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree, 5_2_003A6A80
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010566F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_010566F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01035F80 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_01035F80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FA1F9C FindClose,FindFirstFileExW,GetLastError, 0_2_00FA1F9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0104FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0104FE80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01003EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA, 0_2_01003EC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FA2022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 0_2_00FA2022
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01003850 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_01003850
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003C66F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 5_2_003C66F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003BFE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 5_2_003BFE80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00373EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA, 5_2_00373EC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00311F9C FindClose,FindFirstFileExW,GetLastError, 5_2_00311F9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003A5F80 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 5_2_003A5F80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00312022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 5_2_00312022
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00373850 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 5_2_00373850
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_751fa919568148cae58711204775ef674bafd71f_50e30abd_2c1d9ae0-1b69-4126-ae64-d738448a55b5\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_d8cfe4b0b9575b2ab71f14e55e4d6484872cb94_df5fde7b_aa9d6a92-8d2d-4559-99fe-1b134b7dfc56\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49730 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49732
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49730 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49731 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49733
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49733
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49733 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49738
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49738
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49731
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49738 -> 147.45.47.93:58709
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 147.45.47.93:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 147.45.47.93 147.45.47.93
Source: Joe Sandbox View IP Address: 104.26.5.15 104.26.5.15
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F880A0 recv, 0_2_00F880A0
Source: global traffic HTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: db-ip.com
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874348802.0000000001A65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe68.0
Source: RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874348802.0000000001A65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeD)a#
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeData
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeDatae
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeN
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeletsM
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exe
Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exe00.1
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exe1
Source: RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.execoin
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exe
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exe)
Source: RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exeUser
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exerbirdox/i
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exesepro
Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Amcache.hve.18.dr String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000000.00000002.2021619357.0000000000F71000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170553211.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119820314.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020629490.0000000000611000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014597460.0000000000611000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=84.17.40.101
Source: MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=84.17.40.101(
Source: MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=84.17.40.101D
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=84.17.40.101c
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=84.17.40.101g
Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=84.17.40.101s
Source: MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/ggg
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.0000000001647000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=84.17.40.101
Source: RageMP131.exe, 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=84.17.40.101e
Source: MPGPH131.exe, 00000005.00000002.2173403489.000000000174D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=84.17.40.101o
Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RageMP131.exe, 00000008.00000002.2015798047.000000000199B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001963000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: file.exe, 00000000.00000002.2023815185.0000000001C71000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: file.exe, 00000000.00000002.2021619357.0000000000F71000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170553211.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119820314.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020629490.0000000000611000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014597460.0000000000611000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: file.exe, 00000000.00000002.2023815185.0000000001C28000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2023815185.0000000001C71000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.000000000178A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.000000000167F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.000000000195B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001972000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/84.17.40.101
Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/84.17.40.101~W
Source: file.exe, 00000000.00000002.2023815185.0000000001C71000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.000000000174D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.0000000001647000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/84.17.40.101
Source: 3b6N2Xdh3CYwplaces.sqlite.8.dr String found in binary or memory: https://support.mozilla.org
Source: 3b6N2Xdh3CYwplaces.sqlite.8.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 3b6N2Xdh3CYwplaces.sqlite.8.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: file.exe, 00000000.00000003.1864720375.0000000001D49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867274750.0000000001D67000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099216190.00000000018B0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2104564573.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822281358.0000000001A79000.00000004.00000020.00020000.00000000.sdmp, ELASOvMcSsNrHistory.7.dr, vd0z8wzGefD1History.8.dr, LhmhqtkXTkbYHistory.0.dr, iCl1DNg_vvFNHistory.5.dr, QZolPj_wU7yvHistory.8.dr, BhPLdlMH4HviHistory.5.dr, UqNl41FdpO7sHistory.0.dr, OAwfuvRJ7Zo3History.7.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: ELASOvMcSsNrHistory.7.dr, vd0z8wzGefD1History.8.dr, LhmhqtkXTkbYHistory.0.dr, iCl1DNg_vvFNHistory.5.dr, QZolPj_wU7yvHistory.8.dr, BhPLdlMH4HviHistory.5.dr, UqNl41FdpO7sHistory.0.dr, OAwfuvRJ7Zo3History.7.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: file.exe, 00000000.00000003.1864720375.0000000001D49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867274750.0000000001D67000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099216190.00000000018B0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2104564573.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822281358.0000000001A79000.00000004.00000020.00020000.00000000.sdmp, ELASOvMcSsNrHistory.7.dr, vd0z8wzGefD1History.8.dr, LhmhqtkXTkbYHistory.0.dr, iCl1DNg_vvFNHistory.5.dr, QZolPj_wU7yvHistory.8.dr, BhPLdlMH4HviHistory.5.dr, UqNl41FdpO7sHistory.0.dr, OAwfuvRJ7Zo3History.7.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: ELASOvMcSsNrHistory.7.dr, vd0z8wzGefD1History.8.dr, LhmhqtkXTkbYHistory.0.dr, iCl1DNg_vvFNHistory.5.dr, QZolPj_wU7yvHistory.8.dr, BhPLdlMH4HviHistory.5.dr, UqNl41FdpO7sHistory.0.dr, OAwfuvRJ7Zo3History.7.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.4
Source: RageMP131.exe, 00000007.00000002.2022464307.000000000191E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp, 9wBRx7ST9VOnJqni_JpioUs.zip.5.dr, wwigCWSFuz2MihL8u4G1uFC.zip.8.dr, tC131VXqxqwXyoqOe7muh9i.zip.7.dr, PSdiYEtw_DOSPKoK_uBheap.zip.0.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT7
Source: MPGPH131.exe, 00000005.00000002.2173403489.0000000001838000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2110910326.0000000001838000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTli
Source: file.exe, 00000000.00000002.2023815185.0000000001CEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1907164226.0000000001CE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTm
Source: MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro
Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1844046240.0000000001A1A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1873756554.0000000001AF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.5.dr, passwords.txt.8.dr, passwords.txt.7.dr, passwords.txt.0.dr String found in binary or memory: https://t.me/risepro_bot
Source: MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot#
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot&
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot4.17.40.101
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botlater
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bots
Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: 3b6N2Xdh3CYwplaces.sqlite.8.dr String found in binary or memory: https://www.mozilla.org
Source: 3b6N2Xdh3CYwplaces.sqlite.8.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: 3b6N2Xdh3CYwplaces.sqlite.8.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1871264871.0000000001A5F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1870214972.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1873024686.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1863834626.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1866365018.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1870708054.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864231696.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1863653168.0000000001A64000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1866548748.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874348802.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864002119.0000000001A64000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1870547168.0000000001A5F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865973953.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1869370494.0000000001A5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.1907164226.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863659568.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1872810764.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1866453313.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1873275007.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1870000195.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865095538.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1866116710.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863851821.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1870498691.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2023815185.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864448208.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863077396.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1871475354.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865890235.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864066032.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865369865.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1870911713.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102332006.000000000189A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2107790457.000000000189A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2098278909.000000000189A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/I
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/S
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/T
Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/d
Source: 3b6N2Xdh3CYwplaces.sqlite.8.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1871264871.0000000001A5F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1870214972.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1873024686.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1863834626.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1866365018.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1870708054.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864231696.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1863653168.0000000001A64000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1866548748.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874348802.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864002119.0000000001A64000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1870547168.0000000001A5F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865973953.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1869370494.0000000001A5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/-
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/eagonF
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/efox/
Source: file.exe, 00000000.00000003.1907164226.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863659568.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1872810764.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1866453313.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1873275007.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1870000195.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865095538.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1866116710.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863851821.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1870498691.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2023815185.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864448208.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863077396.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1871475354.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865890235.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864066032.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865369865.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1870911713.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102332006.000000000189A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2107790457.000000000189A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2098278909.000000000189A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/r
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/refox
Source: RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874348802.0000000001A65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ta
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49750 version: TLS 1.2

System Summary
barindex
PE file has nameless sections
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0101A180 0_2_0101A180
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FB002D 0_2_00FB002D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0100F050 0_2_0100F050
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0100D320 0_2_0100D320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01006330 0_2_01006330
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0104E3B0 0_2_0104E3B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010003C0 0_2_010003C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01047580 0_2_01047580
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010AF480 0_2_010AF480
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01008630 0_2_01008630
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F7B8E0 0_2_00F7B8E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FC8BB0 0_2_00FC8BB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FF1B90 0_2_00FF1B90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0106AC30 0_2_0106AC30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0104EFB0 0_2_0104EFB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0104FE80 0_2_0104FE80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01003EC0 0_2_01003EC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0100AEE0 0_2_0100AEE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01003000 0_2_01003000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FA71A0 0_2_00FA71A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FB036F 0_2_00FB036F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010142A0 0_2_010142A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01013590 0_2_01013590
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010B85F0 0_2_010B85F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00F9F580 0_2_00F9F580
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FF4560 0_2_00FF4560
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01057760 0_2_01057760
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FC2610 0_2_00FC2610
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FC47BF 0_2_00FC47BF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010B7690 0_2_010B7690
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FAC960 0_2_00FAC960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FAA928 0_2_00FAA928
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FBDA86 0_2_00FBDA86
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0105FBA0 0_2_0105FBA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0105EBA0 0_2_0105EBA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010B5D10 0_2_010B5D10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010B6C50 0_2_010B6C50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010A4C70 0_2_010A4C70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01062F30 0_2_01062F30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FC8E30 0_2_00FC8E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010B1E30 0_2_010B1E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF0000 0_2_7EAF0000
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF09A3 0_2_7EAF09A3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0032002D 5_2_0032002D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0037F050 5_2_0037F050
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0038A180 5_2_0038A180
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00376330 5_2_00376330
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0037D320 5_2_0037D320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003BE3B0 5_2_003BE3B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003703C0 5_2_003703C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0041F480 5_2_0041F480
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003B7580 5_2_003B7580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00378630 5_2_00378630
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_002EB8E0 5_2_002EB8E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00361B90 5_2_00361B90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003DAC30 5_2_003DAC30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00425D10 5_2_00425D10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003BFE80 5_2_003BFE80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0037AEE0 5_2_0037AEE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00373EC0 5_2_00373EC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003BEFB0 5_2_003BEFB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00373000 5_2_00373000
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003171A0 5_2_003171A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003842A0 5_2_003842A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0032036F 5_2_0032036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00364560 5_2_00364560
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00383590 5_2_00383590
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0030F580 5_2_0030F580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_004285F0 5_2_004285F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00427690 5_2_00427690
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003C7760 5_2_003C7760
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003347BF 5_2_003347BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0031A928 5_2_0031A928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0031C960 5_2_0031C960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0032DA86 5_2_0032DA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00338BB0 5_2_00338BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003CEBA0 5_2_003CEBA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003CFBA0 5_2_003CFBA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00426C50 5_2_00426C50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00414C70 5_2_00414C70
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00338E30 5_2_00338E30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00421E30 5_2_00421E30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003D2F30 5_2_003D2F30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_7F0409A3 5_2_7F0409A3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_7F040000 5_2_7F040000
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00F8ACE0 appears 86 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 002FACE0 appears 86 times
One or more processes crash
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7672 -s 1944
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000000.1612444595.0000000001111000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9999685247031382
Source: file.exe Static PE information: Section: ZLIB complexity 0.9983648255813954
Source: file.exe Static PE information: Section: ZLIB complexity 0.9970703125
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9999685247031382
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9983648255813954
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9970703125
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9999685247031382
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9983648255813954
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9970703125
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@15/106@2/3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0104FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0104FE80
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7784
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7672
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7584
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7428
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000002.2021619357.0000000000F71000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170553211.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119820314.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020629490.0000000000611000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014597460.0000000000611000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2021619357.0000000000F71000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170553211.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119820314.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020629490.0000000000611000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014597460.0000000000611000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000003.1907164226.0000000001D16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1872810764.0000000001D16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1873275007.0000000001D16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2023815185.0000000001D16000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE segment_dV;
Source: RageMP131.exe, 00000007.00000003.1819367845.0000000001A42000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1819751197.0000000001A42000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1863834626.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864231696.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, cCZagzzOxnzSLogin Data For Account.7.dr, a7mDNvwnbxnHLogin Data For Account.8.dr, TLE_gXdWplrQLogin Data.0.dr, S1kWLfoUHhbSLogin Data.5.dr, LjKc4cZCdkn6Login Data.8.dr, KD92s1mFJPJgLogin Data For Account.0.dr, h7vTUP6iIQXbLogin Data.7.dr, ZhaKbTXVRlMcLogin Data For Account.5.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe Virustotal: Detection: 38%
Source: file.exe ReversingLabs: Detection: 39%
Source: file.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7672 -s 1944
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 1908
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7428 -s 1980
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 1960
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dpapi.dll
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: file.exe Static file information: File size 3188736 > 1048576
Source: file.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x221000

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.f70000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 5.2.MPGPH131.exe.2e0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.2e0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 7.2.RageMP131.exe.610000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 8.2.RageMP131.exe.610000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0103F200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_0103F200
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FA3F59 push ecx; ret 0_2_00FA3F6C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF16A0 push 7EAF0002h; ret 0_2_7EAF16AF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF1EB0 push 7EAF0002h; ret 0_2_7EAF1EBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF1E80 push 7EAF0002h; ret 0_2_7EAF1E8F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF0E90 push 7EAF0002h; ret 0_2_7EAF0E9F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF2690 push 7EAF0002h; ret 0_2_7EAF269F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF1EE0 push 7EAF0002h; ret 0_2_7EAF1EEF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF0EF0 push 7EAF0002h; ret 0_2_7EAF0EFF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF26F0 push 7EAF0002h; ret 0_2_7EAF26FF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF0EC0 push 7EAF0002h; ret 0_2_7EAF0ECF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF26C0 push 7EAF0002h; ret 0_2_7EAF26CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF16D0 push 7EAF0002h; ret 0_2_7EAF16DF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF1E20 push 7EAF0002h; ret 0_2_7EAF1E2F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF0E30 push 7EAF0002h; ret 0_2_7EAF0E3F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF2630 push 7EAF0002h; ret 0_2_7EAF263F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF0E00 push 7EAF0002h; ret 0_2_7EAF0E0F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF2600 push 7EAF0002h; ret 0_2_7EAF260F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF1610 push 7EAF0002h; ret 0_2_7EAF161F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF0E60 push 7EAF0002h; ret 0_2_7EAF0E6F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF2660 push 7EAF0002h; ret 0_2_7EAF266F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF1670 push 7EAF0002h; ret 0_2_7EAF167F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF1640 push 7EAF0002h; ret 0_2_7EAF164F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF1E50 push 7EAF0002h; ret 0_2_7EAF1E5F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF1FA0 push 7EAF0002h; ret 0_2_7EAF1FAF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF0FB0 push 7EAF0002h; ret 0_2_7EAF0FBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF27B0 push 7EAF0002h; ret 0_2_7EAF27BF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF0F80 push 7EAF0002h; ret 0_2_7EAF0F8F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF2780 push 7EAF0002h; ret 0_2_7EAF278F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF1790 push 7EAF0002h; ret 0_2_7EAF179F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF0FE0 push 7EAF0002h; ret 0_2_7EAF0FEF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7EAF27E0 push 7EAF0002h; ret 0_2_7EAF27EF
Source: file.exe Static PE information: section name: entropy: 7.999675017725288
Source: file.exe Static PE information: section name: entropy: 7.99639087266641
Source: file.exe Static PE information: section name: entropy: 7.83802229172669
Source: file.exe Static PE information: section name: entropy: 7.972593331740996
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.999675017725288
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.99639087266641
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.83802229172669
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.972593331740996
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.999675017725288
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.99639087266641
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.83802229172669
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.972593331740996
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\file.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Stalling execution: Execution stalls by calling Sleep
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 751 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 1120 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\Desktop\file.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\file.exe Evaded block: after key decision
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evaded block: after key decision
Found evasive API chain (date check)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7432 Thread sleep count: 751 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7432 Thread sleep count: 117 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7588 Thread sleep count: 1120 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7588 Thread sleep count: 117 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7588 Thread sleep count: 108 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7596 Thread sleep count: 349 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7596 Thread sleep count: 134 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7596 Thread sleep count: 106 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7676 Thread sleep count: 117 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7676 Thread sleep count: 55 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7788 Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7788 Thread sleep count: 308 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7788 Thread sleep count: 31 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\file.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010566F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_010566F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01035F80 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_01035F80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FA1F9C FindClose,FindFirstFileExW,GetLastError, 0_2_00FA1F9C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0104FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0104FE80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01003EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA, 0_2_01003EC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FA2022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 0_2_00FA2022
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01003850 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_01003850
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003C66F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 5_2_003C66F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003BFE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 5_2_003BFE80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00373EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA, 5_2_00373EC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00311F9C FindClose,FindFirstFileExW,GetLastError, 5_2_00311F9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003A5F80 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 5_2_003A5F80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00312022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 5_2_00312022
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00373850 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 5_2_00373850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0104FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0104FE80
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_751fa919568148cae58711204775ef674bafd71f_50e30abd_2c1d9ae0-1b69-4126-ae64-d738448a55b5\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_d8cfe4b0b9575b2ab71f14e55e4d6484872cb94_df5fde7b_aa9d6a92-8d2d-4559-99fe-1b134b7dfc56\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2023815185.0000000001C49000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(j
Source: RageMP131.exe, 00000008.00000003.1872875473.0000000001AA1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Dk&Ven_VMware&P
Source: RageMP131.exe, 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000L
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBn
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000003.1872700677.0000000001D57000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.18.dr Binary or memory string: vmci.sys
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: vmware
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, 00000006.00000003.1661761468.00000000016B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}l
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.18.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.18.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.18.dr Binary or memory string: VMware Virtual RAM
Source: RageMP131.exe, 00000008.00000003.1874545027.0000000001A92000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*
Source: Amcache.hve.18.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.18.dr Binary or memory string: VMware Virtual USB Mouse
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: RageMP131.exe, 00000008.00000003.1874545027.0000000001A92000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: MPGPH131.exe, 00000006.00000002.2121250052.000000000169C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000N
Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7A82178D
Source: Amcache.hve.18.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Hyper-V (guest)
Source: Amcache.hve.18.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RageMP131.exe, 00000008.00000002.2015798047.000000000199B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}uV
Source: Amcache.hve.18.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: Amcache.hve.18.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.18.dr Binary or memory string: \driver\vmci,\driver\pci
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000124E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.00000000005BE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.00000000005BE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000008EE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000008EE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: ~VirtualMachineTypes
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000124E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.00000000005BE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.00000000005BE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000008EE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000008EE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2021955024.000000000124E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.00000000005BE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.00000000005BE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000008EE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000008EE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW^b
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Hyper-V
Source: Amcache.hve.18.dr Binary or memory string: VMware
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Amcache.hve.18.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017D1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/7rrP9UK+nYJkDUaruLFsmiax3GAXC2Igj63N1koqBHsy38rIIvg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*
Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}9
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.000000000169C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.000000000197C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001993000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: RageMP131.exe, 00000008.00000003.1815205780.00000000019A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}tV
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 00000007.00000003.1739888881.000000000198D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000005.00000003.2110910326.0000000001838000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.18.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ta\*
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}iles\fqs92o4p.default-release\signons.sqlite-journal
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.18.dr Binary or memory string: VMware20,1
Source: Amcache.hve.18.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.18.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.18.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.18.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.18.dr Binary or memory string: VMware VMCI Bus Device
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.18.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: RageMP131.exe, 00000008.00000003.1874545027.0000000001A92000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Only
Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7A82178D-
Source: Amcache.hve.18.dr Binary or memory string: vmci.syshbin
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: Amcache.hve.18.dr Binary or memory string: VMware, Inc.
Source: RageMP131.exe, 00000007.00000003.1831034423.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}OT NULL DEFAULT 0, use_date INTEGER NOT NULL DEFAULT 0)S)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: Amcache.hve.18.dr Binary or memory string: VMware20,1hbin@
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: xVBoxService.exe
Source: Amcache.hve.18.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.18.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: Amcache.hve.18.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW$
Source: RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: VBoxService.exe
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017A8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWXz~
Source: Amcache.hve.18.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: VMWare
Source: Amcache.hve.18.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J6HEdjEHUub5EtqTQ2dk3wwrCNfruTWZeEqONRrqgXAW0ke6pZXg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*
Source: RageMP131.exe, 00000007.00000002.2022464307.000000000191E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FA8A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00FA8A64
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0103F200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_0103F200
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01036D00 mov eax, dword ptr fs:[00000030h] 0_2_01036D00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_01003EC0 mov eax, dword ptr fs:[00000030h] 0_2_01003EC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003A6D00 mov eax, dword ptr fs:[00000030h] 5_2_003A6D00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00373EC0 mov eax, dword ptr fs:[00000030h] 5_2_00373EC0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_010599F0 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree, 0_2_010599F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FA451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00FA451D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00FA8A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00FA8A64
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_0031451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_0031451D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_00318A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00318A64

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0103F200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_0103F200
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 5_2_003AF200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 5_2_003AF200
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0104FE80
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_00FC31CA
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00FBB1B1
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00FC32F3
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_00FC33F9
Source: C:\Users\user\Desktop\file.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00FC34CF
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_00FBB734
Source: C:\Users\user\Desktop\file.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_00FC2B5A
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_00FC2D5F
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00FC2EEC
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00FC2E51
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_00FC2E06
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00FC2F77
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 5_2_003BFE80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 5_2_0032B1B1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 5_2_003331CA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 5_2_003332F3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 5_2_003333F9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 5_2_003334CF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 5_2_0032B734
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 5_2_00332B5A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 5_2_00332D5F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 5_2_00332E06
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 5_2_00332E51
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 5_2_00332EEC
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 5_2_00332F77
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0104FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0104FE80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0104FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0104FE80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0104FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0104FE80
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.18.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.18.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.18.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.18.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000005.00000002.2173403489.0000000001838000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2023815185.0000000001CEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1907164226.0000000001CE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2022464307.000000000191E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2110910326.0000000001838000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2173403489.000000000174D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7584, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7672, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7784, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\wwigCWSFuz2MihL8u4G1uFC.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\9wBRx7ST9VOnJqni_JpioUs.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tC131VXqxqwXyoqOe7muh9i.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\PSdiYEtw_DOSPKoK_uBheap.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx0gA
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsTP
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet*;T
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7584, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7672, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7784, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000005.00000002.2173403489.0000000001838000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2023815185.0000000001CEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1907164226.0000000001CE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2022464307.000000000191E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.2110910326.0000000001838000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2173403489.000000000174D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7428, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7584, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7592, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7672, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7784, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\wwigCWSFuz2MihL8u4G1uFC.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\9wBRx7ST9VOnJqni_JpioUs.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\tC131VXqxqwXyoqOe7muh9i.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\PSdiYEtw_DOSPKoK_uBheap.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436950 Sample: file.exe Startdate: 06/05/2024 Architecture: WINDOWS Score: 100 47 ipinfo.io 2->47 49 db-ip.com 2->49 57 Snort IDS alert for network traffic 2->57 59 Multi AV Scanner detection for domain / URL 2->59 61 Antivirus detection for URL or domain 2->61 63 5 other signatures 2->63 8 file.exe 1 62 2->8         started        13 MPGPH131.exe 55 2->13         started        15 RageMP131.exe 55 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 51 147.45.47.93, 49730, 49731, 49732 FREE-NET-ASFREEnetEU Russian Federation 8->51 35 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->35 dropped 37 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->37 dropped 39 C:\Users\user\...\PSdiYEtw_DOSPKoK_uBheap.zip, Zip 8->39 dropped 65 Detected unpacking (changes PE section rights) 8->65 67 Tries to steal Mail credentials (via file / registry access) 8->67 69 Found many strings related to Crypto-Wallets (likely being stolen) 8->69 81 2 other signatures 8->81 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        23 WerFault.exe 8->23         started        41 C:\Users\user\...\9wBRx7ST9VOnJqni_JpioUs.zip, Zip 13->41 dropped 71 Multi AV Scanner detection for dropped file 13->71 73 Machine Learning detection for dropped file 13->73 75 Found stalling execution ending in API Sleep call 13->75 25 WerFault.exe 13->25         started        53 ipinfo.io 34.117.186.192, 443, 49734, 49741 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 15->53 55 db-ip.com 104.26.5.15, 443, 49735, 49744 CLOUDFLARENETUS United States 15->55 43 C:\Users\user\...\tC131VXqxqwXyoqOe7muh9i.zip, Zip 15->43 dropped 77 Tries to harvest and steal browser information (history, passwords, etc) 15->77 79 Hides threads from debuggers 15->79 27 WerFault.exe 15->27         started        45 C:\Users\user\...\wwigCWSFuz2MihL8u4G1uFC.zip, Zip 17->45 dropped 29 WerFault.exe 17->29         started        file6 signatures7 process8 process9 31 conhost.exe 19->31         started        33 conhost.exe 21->33         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
147.45.47.93
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
db-ip.com 104.26.5.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://db-ip.com/demo/home.php?s=84.17.40.101 false
    		high
    https://ipinfo.io/widget/demo/84.17.40.101 false
      		high