Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1436950
MD5:	51014f1c86736d8f91d432548062ebbf
SHA1:	6d0bab0a443ff43c293f57dface65dfea47501a9
SHA256:	1845d2a25b628c6ff5e489f83ff975a0c8140bbeeb8ea05f5404a45ee2f9c7ea
Tags:	exe
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

Connects to many ports of the same IP (likely port scanning)

Contains functionality to inject threads in other processes

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file has nameless sections

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evaded block containing many API calls

Found evasive API chain (date check)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 7428 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 51014F1C86736D8F91D432548062EBBF)

schtasks.exe (PID: 7488 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7536 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7544 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WerFault.exe (PID: 7324 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7428 -s 1980 MD5: C31336C1EFC2CCB44B4326EA793040F2)

MPGPH131.exe (PID: 7584 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 51014F1C86736D8F91D432548062EBBF)

WerFault.exe (PID: 2816 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 1960 MD5: C31336C1EFC2CCB44B4326EA793040F2)

MPGPH131.exe (PID: 7592 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 51014F1C86736D8F91D432548062EBBF)

RageMP131.exe (PID: 7672 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 51014F1C86736D8F91D432548062EBBF)

WerFault.exe (PID: 8136 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7672 -s 1944 MD5: C31336C1EFC2CCB44B4326EA793040F2)

RageMP131.exe (PID: 7784 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 51014F1C86736D8F91D432548062EBBF)

WerFault.exe (PID: 6536 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 1908 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Users\user\AppData\Local\Temp\wwigCWSFuz2MihL8u4G1uFC.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\9wBRx7ST9VOnJqni_JpioUs.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\tC131VXqxqwXyoqOe7muh9i.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
C:\Users\user\AppData\Local\Temp\PSdiYEtw_DOSPKoK_uBheap.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000005.00000002.2173403489.0000000001838000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.2023815185.0000000001CEC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1907164226.0000000001CE6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000007.00000002.2022464307.000000000191E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000005.00000003.2110910326.0000000001838000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.2173403489.000000000174D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: file.exe PID: 7428	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: file.exe PID: 7428	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 7584	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 7584	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 7592	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7672	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7672	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7784	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7784	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 16 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 7428, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Snort Signatures

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 147.45.47.93

Timestamp:	05/06/24-20:08:42.332746
SID:	2046269
Source Port:	49731
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.4

Timestamp:	05/06/24-20:08:11.803337
SID:	2046267
Source Port:	58709
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.4

Timestamp:	05/06/24-20:07:53.913307
SID:	2046266
Source Port:	58709
Destination Port:	49730
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 147.45.47.93

Timestamp:	05/06/24-20:07:57.036164
SID:	2046269
Source Port:	49730
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 147.45.47.93

Timestamp:	05/06/24-20:07:53.682907
SID:	2049060
Source Port:	49730
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.4

Timestamp:	05/06/24-20:08:04.120685
SID:	2046266
Source Port:	58709
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.4

Timestamp:	05/06/24-20:08:05.646832
SID:	2046267
Source Port:	58709
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.4

Timestamp:	05/06/24-20:07:56.321028
SID:	2046266
Source Port:	58709
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 147.45.47.93

Timestamp:	05/06/24-20:08:18.051763
SID:	2046269
Source Port:	49738
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.4

Timestamp:	05/06/24-20:07:56.309289
SID:	2046266
Source Port:	58709
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.4

Timestamp:	05/06/24-20:08:11.640975
SID:	2046266
Source Port:	58709
Destination Port:	49738
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.4

Timestamp:	05/06/24-20:08:15.381006
SID:	2046267
Source Port:	58709
Destination Port:	49731
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 147.45.47.93 - Destination IP: 192.168.2.4

Timestamp:	05/06/24-20:08:11.897367
SID:	2046267
Source Port:	58709
Destination Port:	49738
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 147.45.47.93

Timestamp:	05/06/24-20:08:09.259896
SID:	2046269
Source Port:	49733
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 147.45.47.93

Timestamp:	05/06/24-20:08:30.364347
SID:	2046269
Source Port:	49732
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://147.45.47.102:57893/hera/amadka.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://147.45.47.102:57893/hera/amadka.exe	Virustotal: Detection: 19%	Perma Link
Source: http://193.233.132.56/cost/lenin.exesepro	Virustotal: Detection: 21%	Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exe68.0	Virustotal: Detection: 15%	Perma Link
Source: http://193.233.132.56/cost/go.exe00.1	Virustotal: Detection: 18%	Perma Link
Source: http://193.233.132.56/cost/go.exe	Virustotal: Detection: 25%	Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exeN	Virustotal: Detection: 18%	Perma Link
Source: http://193.233.132.56/cost/lenin.exe	Virustotal: Detection: 26%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 39%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Virustotal: Detection: 39%	Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Virustotal: Detection: 39%	Perma Link

Multi AV Scanner detection for submitted file

Source: file.exe	Virustotal: Detection: 38%			Perma Link
Source: file.exe	ReversingLabs: Detection: 39%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01036A80 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,		0_2_01036A80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003A6A80 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,		5_2_003A6A80

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49750 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010566F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_010566F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01035F80 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_01035F80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA1F9C FindClose,FindFirstFileExW,GetLastError,	0_2_00FA1F9C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0104FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	0_2_0104FE80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01003EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,	0_2_01003EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA2022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	0_2_00FA2022
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01003850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_01003850
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003C66F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	5_2_003C66F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003BFE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	5_2_003BFE80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00373EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,	5_2_00373EC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00311F9C FindClose,FindFirstFileExW,GetLastError,	5_2_00311F9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003A5F80 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	5_2_003A5F80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00312022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	5_2_00312022
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00373850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	5_2_00373850

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_751fa919568148cae58711204775ef674bafd71f_50e30abd_2c1d9ae0-1b69-4126-ae64-d738448a55b5\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_d8cfe4b0b9575b2ab71f14e55e4d6484872cb94_df5fde7b_aa9d6a92-8d2d-4559-99fe-1b134b7dfc56\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49730 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49730
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49731
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49730 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49731 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49733
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49733 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49738
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49730
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49738
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49731
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49738 -> 147.45.47.93:58709

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 147.45.47.93:58709

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 147.45.47.93 147.45.47.93
Source: Joe Sandbox View	IP Address: 104.26.5.15 104.26.5.15

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00F880A0 recv,

0_2_00F880A0

Source: global traffic	HTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /widget/demo/84.17.40.101 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=84.17.40.101 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874348802.0000000001A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe68.0
Source: RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874348802.0000000001A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeD)a#
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeData
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeDatae
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeN
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeletsM
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exe
Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exe00.1
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.exe1
Source: RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/go.execoin
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exe
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exe)
Source: RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exeUser
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exerbirdox/i
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.56/cost/lenin.exesepro
Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Amcache.hve.18.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000000.00000002.2021619357.0000000000F71000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170553211.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119820314.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020629490.0000000000611000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014597460.0000000000611000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=84.17.40.101
Source: MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=84.17.40.101(
Source: MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=84.17.40.101D
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=84.17.40.101c
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=84.17.40.101g
Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=84.17.40.101s
Source: MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/ggg
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.0000000001647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=84.17.40.101
Source: RageMP131.exe, 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=84.17.40.101e
Source: MPGPH131.exe, 00000005.00000002.2173403489.000000000174D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=84.17.40.101o
Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RageMP131.exe, 00000008.00000002.2015798047.000000000199B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001963000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: file.exe, 00000000.00000002.2023815185.0000000001C71000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: file.exe, 00000000.00000002.2021619357.0000000000F71000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170553211.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119820314.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020629490.0000000000611000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014597460.0000000000611000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: file.exe, 00000000.00000002.2023815185.0000000001C28000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2023815185.0000000001C71000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.000000000178A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.000000000167F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.000000000195B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001972000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/84.17.40.101
Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019B7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/84.17.40.101~W
Source: file.exe, 00000000.00000002.2023815185.0000000001C71000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.000000000174D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.0000000001647000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/84.17.40.101
Source: 3b6N2Xdh3CYwplaces.sqlite.8.dr	String found in binary or memory: https://support.mozilla.org
Source: 3b6N2Xdh3CYwplaces.sqlite.8.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 3b6N2Xdh3CYwplaces.sqlite.8.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: file.exe, 00000000.00000003.1864720375.0000000001D49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867274750.0000000001D67000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099216190.00000000018B0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2104564573.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822281358.0000000001A79000.00000004.00000020.00020000.00000000.sdmp, ELASOvMcSsNrHistory.7.dr, vd0z8wzGefD1History.8.dr, LhmhqtkXTkbYHistory.0.dr, iCl1DNg_vvFNHistory.5.dr, QZolPj_wU7yvHistory.8.dr, BhPLdlMH4HviHistory.5.dr, UqNl41FdpO7sHistory.0.dr, OAwfuvRJ7Zo3History.7.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: ELASOvMcSsNrHistory.7.dr, vd0z8wzGefD1History.8.dr, LhmhqtkXTkbYHistory.0.dr, iCl1DNg_vvFNHistory.5.dr, QZolPj_wU7yvHistory.8.dr, BhPLdlMH4HviHistory.5.dr, UqNl41FdpO7sHistory.0.dr, OAwfuvRJ7Zo3History.7.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: file.exe, 00000000.00000003.1864720375.0000000001D49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867274750.0000000001D67000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099216190.00000000018B0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2104564573.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822281358.0000000001A79000.00000004.00000020.00020000.00000000.sdmp, ELASOvMcSsNrHistory.7.dr, vd0z8wzGefD1History.8.dr, LhmhqtkXTkbYHistory.0.dr, iCl1DNg_vvFNHistory.5.dr, QZolPj_wU7yvHistory.8.dr, BhPLdlMH4HviHistory.5.dr, UqNl41FdpO7sHistory.0.dr, OAwfuvRJ7Zo3History.7.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: ELASOvMcSsNrHistory.7.dr, vd0z8wzGefD1History.8.dr, LhmhqtkXTkbYHistory.0.dr, iCl1DNg_vvFNHistory.5.dr, QZolPj_wU7yvHistory.8.dr, BhPLdlMH4HviHistory.5.dr, UqNl41FdpO7sHistory.0.dr, OAwfuvRJ7Zo3History.7.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.4
Source: RageMP131.exe, 00000007.00000002.2022464307.000000000191E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp, 9wBRx7ST9VOnJqni_JpioUs.zip.5.dr, wwigCWSFuz2MihL8u4G1uFC.zip.8.dr, tC131VXqxqwXyoqOe7muh9i.zip.7.dr, PSdiYEtw_DOSPKoK_uBheap.zip.0.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT7
Source: MPGPH131.exe, 00000005.00000002.2173403489.0000000001838000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2110910326.0000000001838000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTli
Source: file.exe, 00000000.00000002.2023815185.0000000001CEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1907164226.0000000001CE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTm
Source: MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro
Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1844046240.0000000001A1A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1873756554.0000000001AF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.5.dr, passwords.txt.8.dr, passwords.txt.7.dr, passwords.txt.0.dr	String found in binary or memory: https://t.me/risepro_bot
Source: MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot#
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot&
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot4.17.40.101
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botlater
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bots
Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: 3b6N2Xdh3CYwplaces.sqlite.8.dr	String found in binary or memory: https://www.mozilla.org
Source: 3b6N2Xdh3CYwplaces.sqlite.8.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: 3b6N2Xdh3CYwplaces.sqlite.8.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1871264871.0000000001A5F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1870214972.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1873024686.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1863834626.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1866365018.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1870708054.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864231696.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1863653168.0000000001A64000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1866548748.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874348802.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864002119.0000000001A64000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1870547168.0000000001A5F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865973953.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1869370494.0000000001A5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.1907164226.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863659568.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1872810764.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1866453313.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1873275007.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1870000195.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865095538.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1866116710.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863851821.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1870498691.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2023815185.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864448208.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863077396.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1871475354.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865890235.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864066032.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865369865.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1870911713.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102332006.000000000189A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2107790457.000000000189A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2098278909.000000000189A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/I
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/S
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/T
Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/d
Source: 3b6N2Xdh3CYwplaces.sqlite.8.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1871264871.0000000001A5F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1870214972.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1873024686.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1863834626.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1866365018.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1870708054.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864231696.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1863653168.0000000001A64000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1866548748.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874348802.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864002119.0000000001A64000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1870547168.0000000001A5F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865973953.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1869370494.0000000001A5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/-
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/eagonF
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/efox/
Source: file.exe, 00000000.00000003.1907164226.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863659568.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1872810764.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1866453313.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1873275007.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1870000195.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865095538.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1866116710.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863851821.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1870498691.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2023815185.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864448208.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1863077396.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1871475354.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865890235.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864066032.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1865369865.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1870911713.0000000001D42000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102332006.000000000189A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2107790457.000000000189A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2098278909.000000000189A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/r
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/refox
Source: RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874348802.0000000001A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/ta

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown	Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49735 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49741 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49742 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49744 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49747 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49750 version: TLS 1.2

System Summary

PE file has nameless sections

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0101A180	0_2_0101A180
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB002D	0_2_00FB002D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100F050	0_2_0100F050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100D320	0_2_0100D320
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01006330	0_2_01006330
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0104E3B0	0_2_0104E3B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010003C0	0_2_010003C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01047580	0_2_01047580
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010AF480	0_2_010AF480
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01008630	0_2_01008630
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F7B8E0	0_2_00F7B8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC8BB0	0_2_00FC8BB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF1B90	0_2_00FF1B90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106AC30	0_2_0106AC30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0104EFB0	0_2_0104EFB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0104FE80	0_2_0104FE80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01003EC0	0_2_01003EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0100AEE0	0_2_0100AEE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01003000	0_2_01003000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA71A0	0_2_00FA71A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FB036F	0_2_00FB036F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010142A0	0_2_010142A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01013590	0_2_01013590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010B85F0	0_2_010B85F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F9F580	0_2_00F9F580
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FF4560	0_2_00FF4560
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01057760	0_2_01057760
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC2610	0_2_00FC2610
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC47BF	0_2_00FC47BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010B7690	0_2_010B7690
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAC960	0_2_00FAC960
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FAA928	0_2_00FAA928
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FBDA86	0_2_00FBDA86
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0105FBA0	0_2_0105FBA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0105EBA0	0_2_0105EBA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010B5D10	0_2_010B5D10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010B6C50	0_2_010B6C50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010A4C70	0_2_010A4C70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01062F30	0_2_01062F30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FC8E30	0_2_00FC8E30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010B1E30	0_2_010B1E30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF0000	0_2_7EAF0000
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF09A3	0_2_7EAF09A3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0032002D	5_2_0032002D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0037F050	5_2_0037F050
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0038A180	5_2_0038A180
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00376330	5_2_00376330
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0037D320	5_2_0037D320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003BE3B0	5_2_003BE3B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003703C0	5_2_003703C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0041F480	5_2_0041F480
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003B7580	5_2_003B7580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00378630	5_2_00378630
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_002EB8E0	5_2_002EB8E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00361B90	5_2_00361B90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003DAC30	5_2_003DAC30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00425D10	5_2_00425D10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003BFE80	5_2_003BFE80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0037AEE0	5_2_0037AEE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00373EC0	5_2_00373EC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003BEFB0	5_2_003BEFB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00373000	5_2_00373000
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003171A0	5_2_003171A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003842A0	5_2_003842A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0032036F	5_2_0032036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00364560	5_2_00364560
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00383590	5_2_00383590
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0030F580	5_2_0030F580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_004285F0	5_2_004285F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00427690	5_2_00427690
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003C7760	5_2_003C7760
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003347BF	5_2_003347BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0031A928	5_2_0031A928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0031C960	5_2_0031C960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0032DA86	5_2_0032DA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00338BB0	5_2_00338BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003CEBA0	5_2_003CEBA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003CFBA0	5_2_003CFBA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00426C50	5_2_00426C50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00414C70	5_2_00414C70
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00338E30	5_2_00338E30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00421E30	5_2_00421E30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003D2F30	5_2_003D2F30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_7F0409A3	5_2_7F0409A3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_7F040000	5_2_7F040000

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 00F8ACE0 appears 86 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 002FACE0 appears 86 times

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7672 -s 1944

Source: file.exe, 00000000.00000000.1612444595.0000000001111000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9999685247031382
Source: file.exe	Static PE information: Section: ZLIB complexity 0.9983648255813954
Source: file.exe	Static PE information: Section: ZLIB complexity 0.9970703125
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9999685247031382
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9983648255813954
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9970703125
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9999685247031382
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9983648255813954
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9970703125

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@15/106@2/3

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0104FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,

0_2_0104FE80

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7784
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7672
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7584
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7428
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7496:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000002.2021619357.0000000000F71000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170553211.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119820314.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020629490.0000000000611000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014597460.0000000000611000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2021619357.0000000000F71000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170553211.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119820314.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020629490.0000000000611000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014597460.0000000000611000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000003.1907164226.0000000001D16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1872810764.0000000001D16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1873275007.0000000001D16000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2023815185.0000000001D16000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE segment_dV;
Source: RageMP131.exe, 00000007.00000003.1819367845.0000000001A42000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1819751197.0000000001A42000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1863834626.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864231696.0000000001A63000.00000004.00000020.00020000.00000000.sdmp, cCZagzzOxnzSLogin Data For Account.7.dr, a7mDNvwnbxnHLogin Data For Account.8.dr, TLE_gXdWplrQLogin Data.0.dr, S1kWLfoUHhbSLogin Data.5.dr, LjKc4cZCdkn6Login Data.8.dr, KD92s1mFJPJgLogin Data For Account.0.dr, h7vTUP6iIQXbLogin Data.7.dr, ZhaKbTXVRlMcLogin Data For Account.5.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe	Virustotal: Detection: 38%
Source: file.exe	ReversingLabs: Detection: 39%

Source: file.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7672 -s 1944
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 1908
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7428 -s 1980
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 1960
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dpapi.dll

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: file.exe

Static file information: File size 3188736 > 1048576

Source: file.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x221000

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.f70000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 5.2.MPGPH131.exe.2e0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 6.2.MPGPH131.exe.2e0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 7.2.RageMP131.exe.610000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 8.2.RageMP131.exe.610000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0103F200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

0_2_0103F200

Source: initial sample

Static PE information: section where entry point is pointing to: .data

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA3F59 push ecx; ret	0_2_00FA3F6C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF16A0 push 7EAF0002h; ret	0_2_7EAF16AF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF1EB0 push 7EAF0002h; ret	0_2_7EAF1EBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF1E80 push 7EAF0002h; ret	0_2_7EAF1E8F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF0E90 push 7EAF0002h; ret	0_2_7EAF0E9F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF2690 push 7EAF0002h; ret	0_2_7EAF269F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF1EE0 push 7EAF0002h; ret	0_2_7EAF1EEF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF0EF0 push 7EAF0002h; ret	0_2_7EAF0EFF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF26F0 push 7EAF0002h; ret	0_2_7EAF26FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF0EC0 push 7EAF0002h; ret	0_2_7EAF0ECF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF26C0 push 7EAF0002h; ret	0_2_7EAF26CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF16D0 push 7EAF0002h; ret	0_2_7EAF16DF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF1E20 push 7EAF0002h; ret	0_2_7EAF1E2F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF0E30 push 7EAF0002h; ret	0_2_7EAF0E3F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF2630 push 7EAF0002h; ret	0_2_7EAF263F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF0E00 push 7EAF0002h; ret	0_2_7EAF0E0F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF2600 push 7EAF0002h; ret	0_2_7EAF260F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF1610 push 7EAF0002h; ret	0_2_7EAF161F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF0E60 push 7EAF0002h; ret	0_2_7EAF0E6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF2660 push 7EAF0002h; ret	0_2_7EAF266F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF1670 push 7EAF0002h; ret	0_2_7EAF167F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF1640 push 7EAF0002h; ret	0_2_7EAF164F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF1E50 push 7EAF0002h; ret	0_2_7EAF1E5F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF1FA0 push 7EAF0002h; ret	0_2_7EAF1FAF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF0FB0 push 7EAF0002h; ret	0_2_7EAF0FBF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF27B0 push 7EAF0002h; ret	0_2_7EAF27BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF0F80 push 7EAF0002h; ret	0_2_7EAF0F8F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF2780 push 7EAF0002h; ret	0_2_7EAF278F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF1790 push 7EAF0002h; ret	0_2_7EAF179F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF0FE0 push 7EAF0002h; ret	0_2_7EAF0FEF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7EAF27E0 push 7EAF0002h; ret	0_2_7EAF27EF

Source: file.exe	Static PE information: section name: entropy: 7.999675017725288
Source: file.exe	Static PE information: section name: entropy: 7.99639087266641
Source: file.exe	Static PE information: section name: entropy: 7.83802229172669
Source: file.exe	Static PE information: section name: entropy: 7.972593331740996
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.999675017725288
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.99639087266641
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.83802229172669
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.972593331740996
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.999675017725288
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.99639087266641
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.83802229172669
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.972593331740996

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\file.exe	Stalling execution: Execution stalls by calling Sleep			graph_0-47148
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Stalling execution: Execution stalls by calling Sleep

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 751			Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1120			Jump to behavior

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\Desktop\file.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)			graph_0-47148

Source: C:\Users\user\Desktop\file.exe	Evaded block: after key decision			graph_0-50901
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Evaded block: after key decision

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\file.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes			graph_0-47978

Source: C:\Users\user\Desktop\file.exe TID: 7432	Thread sleep count: 751 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7432	Thread sleep count: 117 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7588	Thread sleep count: 1120 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7588	Thread sleep count: 117 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7588	Thread sleep count: 108 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7596	Thread sleep count: 349 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7596	Thread sleep count: 134 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7596	Thread sleep count: 106 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7676	Thread sleep count: 117 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7676	Thread sleep count: 55 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7788	Thread sleep count: 38 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7788	Thread sleep count: 308 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7788	Thread sleep count: 31 > 30

Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010566F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	0_2_010566F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01035F80 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_01035F80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA1F9C FindClose,FindFirstFileExW,GetLastError,	0_2_00FA1F9C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0104FE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	0_2_0104FE80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01003EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,	0_2_01003EC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA2022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	0_2_00FA2022
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01003850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	0_2_01003850
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003C66F0 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	5_2_003C66F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003BFE80 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	5_2_003BFE80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00373EC0 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,	5_2_00373EC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00311F9C FindClose,FindFirstFileExW,GetLastError,	5_2_00311F9C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003A5F80 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	5_2_003A5F80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00312022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	5_2_00312022
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00373850 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	5_2_00373850

Source: C:\Users\user\Desktop\file.exe

0_2_0104FE80

Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_751fa919568148cae58711204775ef674bafd71f_50e30abd_2c1d9ae0-1b69-4126-ae64-d738448a55b5\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_d8cfe4b0b9575b2ab71f14e55e4d6484872cb94_df5fde7b_aa9d6a92-8d2d-4559-99fe-1b134b7dfc56\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe	File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue

Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2023815185.0000000001C49000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(j
Source: RageMP131.exe, 00000008.00000003.1872875473.0000000001AA1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Dk&Ven_VMware&P
Source: RageMP131.exe, 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000L
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000003.1872700677.0000000001D57000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.18.dr	Binary or memory string: vmci.sys
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: vmware
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, 00000006.00000003.1661761468.00000000016B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}l
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.18.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.18.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual RAM
Source: RageMP131.exe, 00000008.00000003.1874545027.0000000001A92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\*
Source: Amcache.hve.18.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual USB Mouse
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017B5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: RageMP131.exe, 00000008.00000003.1874545027.0000000001A92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: MPGPH131.exe, 00000006.00000002.2121250052.000000000169C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000N
Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7A82178D
Source: Amcache.hve.18.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Hyper-V (guest)
Source: Amcache.hve.18.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RageMP131.exe, 00000008.00000002.2015798047.000000000199B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}uV
Source: Amcache.hve.18.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: Amcache.hve.18.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.18.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000124E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.00000000005BE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.00000000005BE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000008EE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000008EE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000124E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.00000000005BE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.00000000005BE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000008EE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000008EE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2021955024.000000000124E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.00000000005BE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.00000000005BE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000008EE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000008EE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW^b
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Hyper-V
Source: Amcache.hve.18.dr	Binary or memory string: VMware
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Amcache.hve.18.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017D1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/7rrP9UK+nYJkDUaruLFsmiax3GAXC2Igj63N1koqBHsy38rIIvg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*
Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}9
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.000000000169C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.000000000197C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001993000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: RageMP131.exe, 00000008.00000003.1815205780.00000000019A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}tV
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 00000007.00000003.1739888881.000000000198D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000005.00000003.2110910326.0000000001838000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}SModulePath=%ProgramFiles(x86)%\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windows
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.18.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ta\*
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}iles\fqs92o4p.default-release\signons.sqlite-journal
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.18.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.18.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.18.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.18.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.18.dr	Binary or memory string: VMware VMCI Bus Device
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.18.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: RageMP131.exe, 00000008.00000003.1874545027.0000000001A92000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Only
Source: RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7A82178D-
Source: Amcache.hve.18.dr	Binary or memory string: vmci.syshbin
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: Amcache.hve.18.dr	Binary or memory string: VMware, Inc.
Source: RageMP131.exe, 00000007.00000003.1831034423.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}OT NULL DEFAULT 0, use_date INTEGER NOT NULL DEFAULT 0)S)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: Amcache.hve.18.dr	Binary or memory string: VMware20,1hbin@
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: xVBoxService.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.18.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: Amcache.hve.18.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW$
Source: RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: VBoxService.exe
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: MPGPH131.exe, 00000005.00000002.2173403489.00000000017A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWXz~
Source: Amcache.hve.18.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: VMWare
Source: Amcache.hve.18.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: RageMP131.exe, 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J6HEdjEHUub5EtqTQ2dk3wwrCNfruTWZeEqONRrqgXAW0ke6pZXg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*
Source: RageMP131.exe, 00000007.00000002.2022464307.000000000191E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2021955024.000000000111E000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170943123.000000000048E000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119993872.000000000048E000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020826787.00000000007BE000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014794487.00000000007BE000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: #Windows 11 Microsoft Hyper-V Server

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00FA8A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00FA8A64

Source: C:\Users\user\Desktop\file.exe

0_2_0103F200

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01036D00 mov eax, dword ptr fs:[00000030h]	0_2_01036D00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01003EC0 mov eax, dword ptr fs:[00000030h]	0_2_01003EC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003A6D00 mov eax, dword ptr fs:[00000030h]	5_2_003A6D00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00373EC0 mov eax, dword ptr fs:[00000030h]	5_2_00373EC0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_010599F0 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree,

0_2_010599F0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00FA451D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA8A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00FA8A64
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0031451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0031451D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00318A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_00318A64

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0103F200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,		0_2_0103F200
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_003AF200 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,		5_2_003AF200

Source: C:\Users\user\Desktop\file.exe	Code function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	0_2_0104FE80
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00FC31CA
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00FBB1B1
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_00FC32F3
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00FC33F9
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00FC34CF
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00FBB734
Source: C:\Users\user\Desktop\file.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_00FC2B5A
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_00FC2D5F
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00FC2EEC
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00FC2E51
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_00FC2E06
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_00FC2F77
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	5_2_003BFE80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	5_2_0032B1B1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	5_2_003331CA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	5_2_003332F3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	5_2_003333F9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	5_2_003334CF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	5_2_0032B734
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	5_2_00332B5A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	5_2_00332D5F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	5_2_00332E06
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	5_2_00332E51
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	5_2_00332EEC
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	5_2_00332F77

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\file.exe

0_2_0104FE80

Source: C:\Users\user\Desktop\file.exe

0_2_0104FE80

Source: C:\Users\user\Desktop\file.exe

0_2_0104FE80

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.18.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.18.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 00000005.00000002.2173403489.0000000001838000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2023815185.0000000001CEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1907164226.0000000001CE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2022464307.000000000191E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2110910326.0000000001838000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2173403489.000000000174D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\wwigCWSFuz2MihL8u4G1uFC.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\9wBRx7ST9VOnJqni_JpioUs.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tC131VXqxqwXyoqOe7muh9i.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\PSdiYEtw_DOSPKoK_uBheap.zip, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx0gA
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsTP
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet*;T
Source: file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: Yara match	File source: 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7784, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 00000005.00000002.2173403489.0000000001838000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2023815185.0000000001CEC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1907164226.0000000001CE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2022464307.000000000191E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2110910326.0000000001838000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2173403489.000000000174D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7592, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7672, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7784, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\wwigCWSFuz2MihL8u4G1uFC.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\9wBRx7ST9VOnJqni_JpioUs.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\tC131VXqxqwXyoqOe7muh9i.zip, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\PSdiYEtw_DOSPKoK_uBheap.zip, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	11 Process Injection	3 Obfuscated Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	21 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	12 Software Packing	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	35 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	241 Security Software Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Virtualization/Sandbox Evasion	Cached Domain Credentials	12 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	38%	Virustotal		Browse
file.exe	39%	ReversingLabs	Win32.Trojan.Generic
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	39%	ReversingLabs	Win32.Trojan.Generic
C:\ProgramData\MPGPH131\MPGPH131.exe	40%	Virustotal		Browse
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	39%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	40%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://pki-ocsp.symauth.com0	0%	URL Reputation	safe
http://147.45.47.102:57893/hera/amadka.exeDatae	0%	Avira URL Cloud	safe
http://147.45.47.102:57893/hera/amadka.exe	100%	Avira URL Cloud	malware
http://147.45.47.102:57893/hera/amadka.exe68.0	0%	Avira URL Cloud	safe
http://193.233.132.56/cost/lenin.exerbirdox/i	0%	Avira URL Cloud	safe
http://147.45.47.102:57893/hera/amadka.exeD)a#	0%	Avira URL Cloud	safe
http://193.233.132.56/cost/go.exe	0%	Avira URL Cloud	safe
http://193.233.132.56/cost/lenin.exe)	0%	Avira URL Cloud	safe
http://193.233.132.56/cost/lenin.exesepro	0%	Avira URL Cloud	safe
https://t.4	0%	Avira URL Cloud	safe
http://193.233.132.56/cost/lenin.exeUser	0%	Avira URL Cloud	safe
http://147.45.47.102:57893/hera/amadka.exe	20%	Virustotal		Browse
http://193.233.132.56/cost/go.exe00.1	0%	Avira URL Cloud	safe
http://147.45.47.102:57893/hera/amadka.exeData	0%	Avira URL Cloud	safe
http://193.233.132.56/cost/lenin.exesepro	22%	Virustotal		Browse
http://193.233.132.56/cost/go.exe1	0%	Avira URL Cloud	safe
http://147.45.47.102:57893/hera/amadka.exeletsM	0%	Avira URL Cloud	safe
http://147.45.47.102:57893/hera/amadka.exe68.0	15%	Virustotal		Browse
http://147.45.47.102:57893/hera/amadka.exeN	0%	Avira URL Cloud	safe
http://193.233.132.56/cost/go.exe00.1	18%	Virustotal		Browse
http://193.233.132.56/cost/lenin.exe	0%	Avira URL Cloud	safe
http://193.233.132.56/cost/go.exe	25%	Virustotal		Browse
http://193.233.132.56/cost/go.execoin	0%	Avira URL Cloud	safe
http://147.45.47.102:57893/hera/amadka.exeN	18%	Virustotal		Browse
http://193.233.132.56/cost/lenin.exe	26%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.186.192	true	false		high
db-ip.com	104.26.5.15	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://db-ip.com/demo/home.php?s=84.17.40.101	false		high
https://ipinfo.io/widget/demo/84.17.40.101	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://db-ip.com/demo/home.php?s=84.17.40.101c	RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	3b6N2Xdh3CYwplaces.sqlite.8.dr	false		high
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr	false		high
https://t.me/RiseProSUPPORTm	file.exe, 00000000.00000002.2023815185.0000000001CEC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1907164226.0000000001CE6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/demo/home.php?s=84.17.40.101g	file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://147.45.47.102:57893/hera/amadka.exe	file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874348802.0000000001A65000.00000004.00000020.00020000.00000000.sdmp	false	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07	file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	false		high
https://db-ip.com/	file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/demo/home.php?s=84.17.40.101s	RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/RiseProSUPPORTli	MPGPH131.exe, 00000005.00000002.2173403489.0000000001838000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2110910326.0000000001838000.00000004.00000020.00020000.00000000.sdmp	false		high
http://147.45.47.102:57893/hera/amadka.exe68.0	RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr	file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	file.exe, 00000000.00000003.1864720375.0000000001D49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867274750.0000000001D67000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099216190.00000000018B0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2104564573.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822281358.0000000001A79000.00000004.00000020.00020000.00000000.sdmp, ELASOvMcSsNrHistory.7.dr, vd0z8wzGefD1History.8.dr, LhmhqtkXTkbYHistory.0.dr, iCl1DNg_vvFNHistory.5.dr, QZolPj_wU7yvHistory.8.dr, BhPLdlMH4HviHistory.5.dr, UqNl41FdpO7sHistory.0.dr, OAwfuvRJ7Zo3History.7.dr	false		high
http://147.45.47.102:57893/hera/amadka.exeDatae	MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://193.233.132.56/cost/lenin.exerbirdox/i	file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://147.45.47.102:57893/hera/amadka.exeD)a#	RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874348802.0000000001A65000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro	MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://193.233.132.56/cost/lenin.exe)	file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://193.233.132.56/cost/go.exe	RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp	false	25%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://db-ip.com:443/demo/home.php?s=84.17.40.101e	RageMP131.exe, 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_bot&	RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_bot#	MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	ELASOvMcSsNrHistory.7.dr, vd0z8wzGefD1History.8.dr, LhmhqtkXTkbYHistory.0.dr, iCl1DNg_vvFNHistory.5.dr, QZolPj_wU7yvHistory.8.dr, BhPLdlMH4HviHistory.5.dr, UqNl41FdpO7sHistory.0.dr, OAwfuvRJ7Zo3History.7.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr	false		high
https://t.me/risepro_botisepro_bot	file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://193.233.132.56/cost/lenin.exesepro	RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp	false	22%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://ipinfo.io/widget/demo/84.17.40.101~W	RageMP131.exe, 00000008.00000002.2015798047.00000000019B7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com/ggg	MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/RiseProSUPPORT7	RageMP131.exe, 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.4	MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr	false		high
https://db-ip.com/demo/home.php?s=84.17.40.101(	MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	file.exe, 00000000.00000002.2021619357.0000000000F71000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170553211.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119820314.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020629490.0000000000611000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014597460.0000000000611000.00000040.00000001.01000000.00000005.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr	false		high
http://193.233.132.56/cost/lenin.exeUser	RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_bot4.17.40.101	RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://upx.sf.net	Amcache.hve.18.dr	false		high
https://db-ip.com:443/demo/home.php?s=84.17.40.101o	MPGPH131.exe, 00000005.00000002.2173403489.000000000174D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/RiseProSUPPORT	RageMP131.exe, 00000007.00000002.2022464307.000000000191E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp, 9wBRx7ST9VOnJqni_JpioUs.zip.5.dr, wwigCWSFuz2MihL8u4G1uFC.zip.8.dr, tC131VXqxqwXyoqOe7muh9i.zip.7.dr, PSdiYEtw_DOSPKoK_uBheap.zip.0.dr	false		high
http://193.233.132.56/cost/go.exe00.1	RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp	false	18%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	file.exe, 00000000.00000003.1864720375.0000000001D49000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867274750.0000000001D67000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099216190.00000000018B0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2104564573.00000000018C5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822281358.0000000001A79000.00000004.00000020.00020000.00000000.sdmp, ELASOvMcSsNrHistory.7.dr, vd0z8wzGefD1History.8.dr, LhmhqtkXTkbYHistory.0.dr, iCl1DNg_vvFNHistory.5.dr, QZolPj_wU7yvHistory.8.dr, BhPLdlMH4HviHistory.5.dr, UqNl41FdpO7sHistory.0.dr, OAwfuvRJ7Zo3History.7.dr	false		high
https://www.ecosia.org/newtab/	file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr	false		high
https://ipinfo.io/Mozilla/5.0	file.exe, 00000000.00000002.2023815185.0000000001C71000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017D7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.00000000017D1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019B7000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	3b6N2Xdh3CYwplaces.sqlite.8.dr	false		high
http://147.45.47.102:57893/hera/amadka.exeData	RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr	false		high
http://193.233.132.56/cost/go.exe1	RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com/demo/home.php?s=84.17.40.101D	MPGPH131.exe, 00000006.00000002.2121250052.00000000016C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_bot	RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1844046240.0000000001A1A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1873756554.0000000001AF6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.5.dr, passwords.txt.8.dr, passwords.txt.7.dr, passwords.txt.0.dr	false		high
http://147.45.47.102:57893/hera/amadka.exeletsM	file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/risepro_botlater	MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/	RageMP131.exe, 00000008.00000002.2015798047.000000000199B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001963000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019B7000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pki-ocsp.symauth.com0	file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	false	URL Reputation: safe	unknown
https://www.maxmind.com/en/locate-my-ip-address	file.exe, MPGPH131.exe	false		high
http://147.45.47.102:57893/hera/amadka.exeN	MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp	false	18%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://db-ip.com:443/demo/home.php?s=84.17.40.101	file.exe, 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.0000000001647000.00000004.00000020.00020000.00000000.sdmp	false		high
http://193.233.132.56/cost/lenin.exe	RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001A66000.00000004.00000020.00020000.00000000.sdmp	false	26%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	file.exe, 00000000.00000002.2021619357.0000000000F71000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.2170553211.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000002.2119820314.00000000002E1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000007.00000002.2020629490.0000000000611000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.2014597460.0000000000611000.00000040.00000001.01000000.00000005.sdmp	false		high
https://support.mozilla.org	3b6N2Xdh3CYwplaces.sqlite.8.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	ELASOvMcSsNrHistory.7.dr, vd0z8wzGefD1History.8.dr, LhmhqtkXTkbYHistory.0.dr, iCl1DNg_vvFNHistory.5.dr, QZolPj_wU7yvHistory.8.dr, BhPLdlMH4HviHistory.5.dr, UqNl41FdpO7sHistory.0.dr, OAwfuvRJ7Zo3History.7.dr	false		high
https://ipinfo.io:443/widget/demo/84.17.40.101	file.exe, 00000000.00000002.2023815185.0000000001C71000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.2173403489.000000000174D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2121250052.0000000001647000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.2022464307.00000000019A2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_bots	MPGPH131.exe, 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2056651399.00000000017DE000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000003.1865241711.0000000001D6B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1864375367.0000000001D5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1867863334.0000000001D78000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2099008633.00000000018B3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2102021978.00000000018D2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000003.2105243412.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820028873.0000000001A7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1822926347.0000000001A9F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000003.1820619276.0000000001A9B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1867422417.0000000001AD2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1864465481.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1865350119.0000000001ABC000.00000004.00000020.00020000.00000000.sdmp, DOGuPW8VgXDwWeb Data.5.dr, 1bA0iPxs1_tpWeb Data.8.dr, Z82s7O924lLeWeb Data.5.dr, Y7ezkClN3tvGWeb Data.0.dr, QALFCGqIe0GzWeb Data.8.dr, V9veGYQ701aZWeb Data.7.dr, 4deeADJYPmpQWeb Data.0.dr, pTWMc6sLNinTWeb Data.7.dr, 42h4yDt09kAFWeb Data.7.dr	false		high
http://193.233.132.56/cost/go.execoin	RageMP131.exe, 00000008.00000003.1874959213.0000000001A65000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.1874632671.0000000001A65000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
147.45.47.93	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
104.26.5.15	db-ip.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1436950
Start date and time:	2024-05-06 20:07:05 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@15/106@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 58% Number of executed functions: 56 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.168.117.173, 52.182.143.212
Excluded domains from analysis (whitelisted): onedsblobprdeus16.eastus.cloudapp.azure.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
19:07:52	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
19:07:53	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
19:07:53	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
19:08:00	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
20:08:28	API Interceptor	80x Sleep call for process: MPGPH131.exe modified
20:08:29	API Interceptor	4x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.186.192	SecuriteInfo.com.Win32.Evo-gen.24318.16217.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win32.Evo-gen.28489.31883.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Raptor.HardwareService.Setup 1.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	w.sh	Get hash	malicious	Xmrig	Browse	/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	uUsgzQ3DoW.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
	8BZBgbeCcz.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
147.45.47.93	1CMweaqlKp.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	vEaFCBsRb7.exe	Get hash	malicious	RisePro Stealer	Browse
	oO2wHSVFJM.exe	Get hash	malicious	RisePro Stealer	Browse
	hYrJbjnzVc.exe	Get hash	malicious	RisePro Stealer	Browse
	4yFaZU8fhT.exe	Get hash	malicious	RisePro Stealer	Browse
	RY5YJaMEWE.exe	Get hash	malicious	RisePro Stealer	Browse
	OUZXNOqKXg.exe	Get hash	malicious	RisePro Stealer	Browse
	0BzQNa8hYd.exe	Get hash	malicious	RisePro Stealer	Browse
104.26.5.15	SecuriteInfo.com.Win64.Evo-gen.17494.7440.exe	Get hash	malicious	Unknown	Browse	api.db-ip.com/v2/free/127.0.0.1
	Nemty.exe	Get hash	malicious	Nemty	Browse	api.db-ip.com/v2/free/84.17.52.2/countryName
	227.exe	Get hash	malicious	Nemty	Browse	api.db-ip.com/v2/free/102.129.143.40/countryName

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	OJa1BOigU3.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse	34.117.186.192
	OJa1BOigU3.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	https://reactivate-account.live/	Get hash	malicious	Unknown	Browse	34.117.186.192
	wNyot4Puq5.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.186.192
	SecuriteInfo.com.Win32.Malware-gen.14907.28959.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	SecuriteInfo.com.Win32.Malware-gen.14907.28959.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	vEaFCBsRb7.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	oO2wHSVFJM.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
db-ip.com	OJa1BOigU3.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse	104.26.5.15
	OJa1BOigU3.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
	vEaFCBsRb7.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	oO2wHSVFJM.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	4yFaZU8fhT.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	RY5YJaMEWE.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	OUZXNOqKXg.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	0BzQNa8hYd.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	https://u.to/rh6dIA	Get hash	malicious	Unknown	Browse	34.117.121.53
	MDE_File_Sample_1fd07379ca528bc6536b2053dddc3ea7bf85e268 (1).zip	Get hash	malicious	Flawedammyy	Browse	34.117.188.166
	OJa1BOigU3.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse	34.117.186.192
	OJa1BOigU3.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	https://reactivate-account.live/	Get hash	malicious	Unknown	Browse	34.117.186.192
	wNyot4Puq5.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	34.117.186.192
	SecuriteInfo.com.Win32.Malware-gen.14907.28959.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	SecuriteInfo.com.Win32.Malware-gen.14907.28959.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	1CMweaqlKp.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	34.117.186.192
	SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
FREE-NET-ASFREEnetEU	OJa1BOigU3.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse	193.233.132.253
	OJa1BOigU3.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.226
	9vZbHuuOq6.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.253
	ABD88D155FC99F529EDC0F725A4151C61126B7890BC6B.exe	Get hash	malicious	DCRat	Browse	147.45.44.3
	1CMweaqlKp.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Mars Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	147.45.47.93
	SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	file.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	vEaFCBsRb7.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	oO2wHSVFJM.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	hYrJbjnzVc.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
CLOUDFLARENETUS	http://url2702.birdlinesurvey.com/ls/click?upn=u001.fvR7TaIBWduFhQsheFn3aEaPhK8uODx4FECc3zInjq9BSAf6gBrj2-2BedXmzSOWcd7vxp_lhEpvcamcm95WhC017PRgUW5-2FexFmUztzt-2BcKquNxQ1YN72CKbQQSny2VeQqNZrhBFTOEqx-2F39TrKU7BM5IdEMb8Ff5ZieEcgOxfUarcqJlesyk2zJY-2BwChBwanXRRguoubpfSPqJUGeBH-2BzQeyYA0nqbzb6SKnXlWMM81gllISMtxtUwBSKbkxJz93WcSM4hTla0Kc1ku7W5WS7mebxSuTWlLTTC-2FhqXapGO2vZ08oTfJZVndvi6I-2BSnihO3dZsSJgENxwP5ZhoejGfPPs1Na-2FVC2UyFhZFyHjm0X4TH2XjgB8AYX07PdLxDOeoeWyiOnumIU4-2B-2FgJov9FyGEDMwPThdsm2z08qXDtfdx0QY6k32zVGOZMjxPkju1pYu-2B-2BIuSn1OLU8E2ck-2ByrYb4gXHvkd08o-2FHpdsvgFBnmLtYDeKd7vxr1IhtyjP-2F7suT-2BOfLMWrgiPDFhYVGGNB34EPhojLkUDKyEX35z0JUhT-2FSaPoSfbYVLUvzNDpg8UZ48DeSGARh29mUxJgFc3uzTCxyTF0Fpnvt7ZJKajvB7kNsGeaoRFHFpUHzNVsrYK1-2F1wGrAVj4ZEp-2FG58qkwpBzPAruseXEAU6-2B6hEfYNMONrNvIY3vz2ha-2Buhz-2B1j3r-2BlhJV3MJvwCHsnDS-2BEQb3ae9OABVw0ZkVBjYVDB8BpSYCBmu3oAOjJJvgg9foyeOeKFSaqitIV8XTM2RDg8SEHJb5Q5pucXuEGbqophNoPNxxiUg1BeM9YM9XQ9Q8TMcWw37s3qSJtDR9CV6L0GplPi-2Bq6Z9-2FD8pF7r-2BPjSP9fvF9bsB0rEgBa7-2BFpP02oFrZA82EmV0vtJFdb5DlGrcdYINE3Rc0UBEelzIaogt1DDEMdOA-3D	Get hash	malicious	Unknown	Browse	162.159.137.9
	http://email.panatech.io/c/eJykzbFuwyAQgOGnwVstOExiDwypIqaqa6pux3EppAZbmFRKn76K_Ajd_uXTH-x1UHBQHVt1VEZKMFJ10QL5idF4CqO-TmoMo2YmDBTkZMirLlktCaQxR5g4sISBWaNUo4HDQaM-ghjkigUbU-zT0s02trZuQp8EOAEu1p5pKUtO1FLmrU8lJNyTlizAcZv7Na5Cu3udhT7_1-8u3DJmbJjvWyKPBSs-rQBHX_nJENzj82JOlNXv2-X9x3-8Rp_nmR7m5kEKfe6q_cbKRQyy5u2FlrxiSfv3LwAA__9Tq2zK	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	http://www.ismg.com.mx/	Get hash	malicious	Unknown	Browse	172.67.185.53
	Scanned_From_Microsoft-365-Ms Jennifer Ferrier Chief Financial Officer payment remittance.HTML	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	https://secure.rightsignature.com/signers/a62bc9d4-e300-4799-b31f-1baf2136c0d1/sign?identity_token=ikxrhixfmvyfgisdycV9	Get hash	malicious	HTMLPhisher	Browse	104.17.64.14
	https://bio.site/1stghmcom/	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	TS-240506-UF2.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	SecuriteInfo.com.Win32.PWSX-gen.32248.12145.exe	Get hash	malicious	RedLine	Browse	104.20.4.235
	SecuriteInfo.com.Win32.PWSX-gen.6752.20282.exe	Get hash	malicious	RedLine	Browse	104.20.3.235
	SecuriteInfo.com.Win32.PWSX-gen.30686.12876.exe	Get hash	malicious	RedLine	Browse	172.67.19.24

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	Transfer copy of remittance.cmd	Get hash	malicious	Remcos, DBatLoader	Browse	104.26.5.15 34.117.186.192
	#U00d6deme makbuzu ektedir.bat	Get hash	malicious	DBatLoader, Remcos	Browse	104.26.5.15 34.117.186.192
	#U00d6deme makbuzu ektedir.docx.doc	Get hash	malicious	Unknown	Browse	104.26.5.15 34.117.186.192
	https://i.nupem.ufrj.br/SYE_6SKEh	Get hash	malicious	Unknown	Browse	104.26.5.15 34.117.186.192
	BB6571B3.xlsm	Get hash	malicious	Unknown	Browse	104.26.5.15 34.117.186.192
	OJa1BOigU3.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse	104.26.5.15 34.117.186.192
	OJa1BOigU3.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15 34.117.186.192
	app.exe	Get hash	malicious	Unknown	Browse	104.26.5.15 34.117.186.192
	Template_signed_0405.dotm.doc	Get hash	malicious	Unknown	Browse	104.26.5.15 34.117.186.192
	SecuriteInfo.com.Variant.Lazy.387025.32273.29448.exe	Get hash	malicious	RedLine	Browse	104.26.5.15 34.117.186.192

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3188736
Entropy (8bit):	7.981027272062894
Encrypted:	false
SSDEEP:	98304:DInXnNqIvqO74jZlyPeYy+sOnc6FqoMD:ygISO7sZae+FcSMD
MD5:	51014F1C86736D8F91D432548062EBBF
SHA1:	6D0BAB0A443FF43C293F57DFACE65DFEA47501A9
SHA-256:	1845D2A25B628C6FF5E489F83FF975A0C8140BBEEB8EA05F5404A45EE2F9C7EA
SHA-512:	E05A72A5DEDE84005AEDB80884CE191180BFD811A5AA197E18B5D467170B1E6B534B42EEF3F37782355193663F952599D7EB6D0121A6F1ADB2019CB3B547187D
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 39% Antivirus: Virustotal, Detection: 40%, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....96f...............'.........................@......................................@... .. .... .. ..........P.......\...............................0........................................................................................................6..................@........................:..............@............P...P.......<..............@........................D..............@................p...b...D..............@....rsrc...............................@..@..........x......(...p..............@....data....."......".................@...................................................................................................................................................

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0905694034302293
Encrypted:	false
SSDEEP:	192:+CRlrSzZ8DX0N/QB6E6jjYZrSruBl9zuiFGZ24IO826t:BKZekN/QEjC9zuiFGY4IO8p
MD5:	AA33BA4BF670C5953A2F6849F09214EE
SHA1:	9654FA3E4E28A7A5EC9712BD477049F87717B9BC
SHA-256:	60351DC8F18704950DA6429CDCB7657CF90F1FD55EBA315194453D155F1A7904
SHA-512:	667BC52BE4258C36A5ACD14726F8841A8C276546B9E269DDEF15F85AEDBF8019134420E3C82870C1B7F1C613AD4DF17C7126C6C1C9329D47CFE56BA909DD8853
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.9.4.9.2.5.2.3.6.1.6.6.8.2.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.9.4.9.2.5.2.4.1.9.4.8.0.3.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.6.4.0.2.6.3.c.b.-.4.9.b.4.-.4.1.b.7.-.b.4.8.7.-.4.b.8.1.8.3.1.5.d.5.e.a.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.c.6.d.0.b.0.6.-.3.3.0.5.-.4.8.8.2.-.9.8.3.4.-.f.8.8.3.7.c.5.e.f.e.e.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.P.G.P.H.1.3.1...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.C.r.o.s.s.D.e.v.i.c.e.S.e.t.t.i.n.g.s.H.o.s.t...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.a.0.-.0.0.0.1.-.0.0.1.4.-.8.8.1.5.-.6.f.5.0.e.0.9.f.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.6.7.a.b.c.f.8.d.6.c.2.5.2.9.7.e.d.9.7.2.3.e.f.1.6.c.3.8.f.3.6.0.0.0.0.0.9.1.0.!.0.0.0.0.6.d.0.b.a.b.0.a.4.4.3.f.f.4.3.c.2.9.3.f.5.7.

Entrypoint:	0xf5ca8c
Entrypoint Section:	.data
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x663639CA [Sat May 4 13:36:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	272279f18f704f637aa129691266b291

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x940050	0xd0b	.data
IMAGE_DIRECTORY_ENTRY_IMPORT	0x940d5c	0x3b0	.data
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x1a1000	0xc8bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x940030	0x10	.data
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x940000	0x18	.data
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x15c000	0x93600	1c30c55f327dff326a32a79b19e348d6	False	0.9999685247031382	data	7.999675017725288	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x15d000	0x28000	0x10200	74548ae799e79fc20306cc602d37a794	False	0.9983648255813954	data	7.99639087266641	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x185000	0x5000	0x800	3818ed903188218960f33e014f774303	False	0.9970703125	data	7.83802229172669	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x18a000	0xd000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x197000	0xa000	0x6200	190e1a61abc7d6a0a7c981417fcc65a3	False	0.9881616709183674	data	7.972593331740996	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x1a1000	0xd000	0xca00	6e46563fc615b7272cc3ab7b669e3874	False	0.6000541460396039	data	5.556770173829542	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
	0x1ae000	0x78f000	0x32800	06bf0b39137a35cdc92c7a5f4bd29b27	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x93d000	0x221000	0x221000	09fd6339de78073bdda8de6df01391d2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1a1370	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	Russian	Russia	0.31402439024390244
RT_ICON	0x1a19d8	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	Russian	Russia	0.42338709677419356
RT_ICON	0x1a1cc0	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 288	Russian	Russia	0.5061475409836066
RT_ICON	0x1a1ea8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	Russian	Russia	0.5675675675675675
RT_ICON	0x1a1fd0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	Russian	Russia	0.46961620469083154
RT_ICON	0x1a2e78	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	Russian	Russia	0.4020758122743682
RT_ICON	0x1a3720	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	Russian	Russia	0.45506912442396313
RT_ICON	0x1a3de8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	Russian	Russia	0.2904624277456647
RT_ICON	0x1a4350	0x4b55	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia	0.9921182266009853
RT_ICON	0x1a8ea8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Russian	Russia	0.316701244813278
RT_ICON	0x1ab450	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Russian	Russia	0.36186679174484054
RT_ICON	0x1ac4f8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	Russian	Russia	0.42418032786885246
RT_ICON	0x1ace80	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Russian	Russia	0.5026595744680851
RT_GROUP_ICON	0x1ad2e8	0xbc	data	Russian	Russia	0.6170212765957447
RT_VERSION	0x1ad3a4	0x398	OpenPGP Public Key	Russian	Russia	0.42282608695652174
RT_MANIFEST	0x1ad73c	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

DLL	Import
kernel32.dll	GetModuleHandleA, GetProcAddress, ExitProcess, LoadLibraryA
user32.dll	MessageBoxA
advapi32.dll	RegCloseKey
oleaut32.dll	SysFreeString
gdi32.dll	CreateFontA
shell32.dll	ShellExecuteA
version.dll	GetFileVersionInfoA
ole32.dll	CoInitialize
WS2_32.dll	WSAStartup
CRYPT32.dll	CryptUnprotectData
SHLWAPI.dll	PathFindExtensionA
gdiplus.dll	GdipGetImageEncoders
SETUPAPI.dll	SetupDiEnumDeviceInfo
ntdll.dll	RtlUnicodeStringToAnsiString
RstrtMgr.DLL	RmStartSession

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 6, 2024 20:08:05.762731075 CEST	63557	53	192.168.2.4	1.1.1.1
May 6, 2024 20:08:05.874954939 CEST	53	63557	1.1.1.1	192.168.2.4
May 6, 2024 20:08:08.260582924 CEST	58175	53	192.168.2.4	1.1.1.1
May 6, 2024 20:08:08.372803926 CEST	53	58175	1.1.1.1	192.168.2.4

Timestamp	Bytes transferred	Direction	Data
2024-05-06 18:08:06 UTC	237	OUT	GET /widget/demo/84.17.40.101 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-05-06 18:08:06 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Mon, 06 May 2024 18:08:06 GMT content-type: application/json; charset=utf-8 Content-Length: 1023 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-06 18:08:06 UTC	741	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 34 2e 31 37 2e 34 30 2e 31 30 31 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 34 2e 31 37 2e 34 30 2e 31 30 31 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 75 6e 6e 2d 38 34 2d 31 37 2d 34 30 2d 31 30 31 2e 63 64 6e 37 37 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4d 69 61 6d 69 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 46 6c 6f 72 69 64 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 32 35 2e 37 37 34 33 2c 2d 38 30 2e 31 39 33 37 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 Data Ascii: { "input": "84.17.40.101", "data": { "ip": "84.17.40.101", "hostname": "unn-84-17-40-101.cdn77.com", "city": "Miami", "region": "Florida", "country": "US", "loc": "25.7743,-80.1937", "org": "AS60068 Datacamp Limited", "
2024-05-06 18:08:06 UTC	282	IN	Data Raw: 20 20 20 20 7d 2c 0a 20 20 20 20 22 61 62 75 73 65 22 3a 20 7b 0a 20 20 20 20 20 20 22 61 64 64 72 65 73 73 22 3a 20 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 2c 20 5a 64 65 6e 65 6b 20 43 65 6e 64 72 61 2c 20 32 30 37 20 52 65 67 65 6e 74 20 53 74 72 65 65 74 2c 20 57 31 42 20 33 48 48 2c 20 4c 6f 6e 64 6f 6e 2c 20 55 4e 49 54 45 44 20 4b 49 4e 47 44 4f 4d 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 64 61 74 61 63 61 6d 70 2e 63 6f 2e 75 6b 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 43 6f 6e 74 61 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 34 2e 31 37 2e 34 30 2e 30 2f 32 34 22 2c 0a 20 20 Data Ascii: }, "abuse": { "address": "Datacamp Limited, Zdenek Cendra, 207 Regent Street, W1B 3HH, London, UNITED KINGDOM", "country": "US", "email": "abuse@datacamp.co.uk", "name": "Abuse Contact", "network": "84.17.40.0/24",

Timestamp	Bytes transferred	Direction	Data
2024-05-06 18:08:08 UTC	261	OUT	GET /demo/home.php?s=84.17.40.101 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-05-06 18:08:08 UTC	654	IN	HTTP/1.1 200 OK Date: Mon, 06 May 2024 18:08:08 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: 6CA2D4AC:5BD0_93878F2E:0050_66391C88_BE6D195:7B63 x-iplb-instance: 59128 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B4zRw3uPQI8HdIcB1utgepnuJdDyJt96Y%2BUO3cKjO1yHj2aoUK%2FhJOSHqvXj9lLGBOiroayETE9l4m1Lr8BIzDkHxKnTsz72eRjm5yjReUrxEzfZaiJy9zHhiQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87fae9f70a3b4964-MIA alt-svc: h3=":443"; ma=86400
2024-05-06 18:08:08 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-05-06 18:08:08 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-05-06 18:08:12 UTC	237	OUT	GET /widget/demo/84.17.40.101 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-05-06 18:08:12 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Mon, 06 May 2024 18:08:12 GMT content-type: application/json; charset=utf-8 Content-Length: 1023 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 3 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-06 18:08:12 UTC	741	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 34 2e 31 37 2e 34 30 2e 31 30 31 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 34 2e 31 37 2e 34 30 2e 31 30 31 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 75 6e 6e 2d 38 34 2d 31 37 2d 34 30 2d 31 30 31 2e 63 64 6e 37 37 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4d 69 61 6d 69 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 46 6c 6f 72 69 64 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 32 35 2e 37 37 34 33 2c 2d 38 30 2e 31 39 33 37 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 Data Ascii: { "input": "84.17.40.101", "data": { "ip": "84.17.40.101", "hostname": "unn-84-17-40-101.cdn77.com", "city": "Miami", "region": "Florida", "country": "US", "loc": "25.7743,-80.1937", "org": "AS60068 Datacamp Limited", "
2024-05-06 18:08:12 UTC	282	IN	Data Raw: 20 20 20 20 7d 2c 0a 20 20 20 20 22 61 62 75 73 65 22 3a 20 7b 0a 20 20 20 20 20 20 22 61 64 64 72 65 73 73 22 3a 20 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 2c 20 5a 64 65 6e 65 6b 20 43 65 6e 64 72 61 2c 20 32 30 37 20 52 65 67 65 6e 74 20 53 74 72 65 65 74 2c 20 57 31 42 20 33 48 48 2c 20 4c 6f 6e 64 6f 6e 2c 20 55 4e 49 54 45 44 20 4b 49 4e 47 44 4f 4d 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 64 61 74 61 63 61 6d 70 2e 63 6f 2e 75 6b 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 43 6f 6e 74 61 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 34 2e 31 37 2e 34 30 2e 30 2f 32 34 22 2c 0a 20 20 Data Ascii: }, "abuse": { "address": "Datacamp Limited, Zdenek Cendra, 207 Regent Street, W1B 3HH, London, UNITED KINGDOM", "country": "US", "email": "abuse@datacamp.co.uk", "name": "Abuse Contact", "network": "84.17.40.0/24",

Timestamp	Bytes transferred	Direction	Data
2024-05-06 18:08:12 UTC	261	OUT	GET /demo/home.php?s=84.17.40.101 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-05-06 18:08:13 UTC	652	IN	HTTP/1.1 200 OK Date: Mon, 06 May 2024 18:08:12 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC4652EB:24F6_93878F2E:0050_66391C8C_BE8B11B:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ZIkLvYesWhF7t0CvLLjNvQpxRjbF1%2Bjot1MNRYdkp8uJ2y3NudTPSDA2uXcsyUxTjsh4Excl%2B1F7x0QNuMElgILfeHeYro0QI1CdJBrX1CjqnjeWQQHUuWHBpA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87faea105f9f67d4-MIA alt-svc: h3=":443"; ma=86400
2024-05-06 18:08:13 UTC	85	IN	Data Raw: 34 66 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 65 72 72 6f 72 22 3a 22 6f 76 65 72 20 71 75 65 72 79 20 6c 69 6d 69 74 2c 20 70 6c 65 61 73 65 20 74 72 79 20 61 67 61 69 6e 20 6c 61 74 65 72 22 7d 7d 0d 0a Data Ascii: 4f{"status":"ok","demoInfo":{"error":"over query limit, please try again later"}}
2024-05-06 18:08:13 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Timestamp	Bytes transferred	Direction	Data
2024-05-06 18:08:16 UTC	237	OUT	GET /widget/demo/84.17.40.101 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-05-06 18:08:17 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Mon, 06 May 2024 18:08:16 GMT content-type: application/json; charset=utf-8 Content-Length: 1023 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-06 18:08:17 UTC	741	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 34 2e 31 37 2e 34 30 2e 31 30 31 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 34 2e 31 37 2e 34 30 2e 31 30 31 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 75 6e 6e 2d 38 34 2d 31 37 2d 34 30 2d 31 30 31 2e 63 64 6e 37 37 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4d 69 61 6d 69 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 46 6c 6f 72 69 64 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 32 35 2e 37 37 34 33 2c 2d 38 30 2e 31 39 33 37 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 Data Ascii: { "input": "84.17.40.101", "data": { "ip": "84.17.40.101", "hostname": "unn-84-17-40-101.cdn77.com", "city": "Miami", "region": "Florida", "country": "US", "loc": "25.7743,-80.1937", "org": "AS60068 Datacamp Limited", "
2024-05-06 18:08:17 UTC	282	IN	Data Raw: 20 20 20 20 7d 2c 0a 20 20 20 20 22 61 62 75 73 65 22 3a 20 7b 0a 20 20 20 20 20 20 22 61 64 64 72 65 73 73 22 3a 20 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 2c 20 5a 64 65 6e 65 6b 20 43 65 6e 64 72 61 2c 20 32 30 37 20 52 65 67 65 6e 74 20 53 74 72 65 65 74 2c 20 57 31 42 20 33 48 48 2c 20 4c 6f 6e 64 6f 6e 2c 20 55 4e 49 54 45 44 20 4b 49 4e 47 44 4f 4d 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 64 61 74 61 63 61 6d 70 2e 63 6f 2e 75 6b 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 43 6f 6e 74 61 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 34 2e 31 37 2e 34 30 2e 30 2f 32 34 22 2c 0a 20 20 Data Ascii: }, "abuse": { "address": "Datacamp Limited, Zdenek Cendra, 207 Regent Street, W1B 3HH, London, UNITED KINGDOM", "country": "US", "email": "abuse@datacamp.co.uk", "name": "Abuse Contact", "network": "84.17.40.0/24",

Timestamp	Bytes transferred	Direction	Data
2024-05-06 18:08:18 UTC	237	OUT	GET /widget/demo/84.17.40.101 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-05-06 18:08:18 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Mon, 06 May 2024 18:08:18 GMT content-type: application/json; charset=utf-8 Content-Length: 1023 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-05-06 18:08:18 UTC	741	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 34 2e 31 37 2e 34 30 2e 31 30 31 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 34 2e 31 37 2e 34 30 2e 31 30 31 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 75 6e 6e 2d 38 34 2d 31 37 2d 34 30 2d 31 30 31 2e 63 64 6e 37 37 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4d 69 61 6d 69 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 46 6c 6f 72 69 64 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 32 35 2e 37 37 34 33 2c 2d 38 30 2e 31 39 33 37 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 36 30 30 36 38 20 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 2c 0a 20 20 20 20 22 Data Ascii: { "input": "84.17.40.101", "data": { "ip": "84.17.40.101", "hostname": "unn-84-17-40-101.cdn77.com", "city": "Miami", "region": "Florida", "country": "US", "loc": "25.7743,-80.1937", "org": "AS60068 Datacamp Limited", "
2024-05-06 18:08:18 UTC	282	IN	Data Raw: 20 20 20 20 7d 2c 0a 20 20 20 20 22 61 62 75 73 65 22 3a 20 7b 0a 20 20 20 20 20 20 22 61 64 64 72 65 73 73 22 3a 20 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 2c 20 5a 64 65 6e 65 6b 20 43 65 6e 64 72 61 2c 20 32 30 37 20 52 65 67 65 6e 74 20 53 74 72 65 65 74 2c 20 57 31 42 20 33 48 48 2c 20 4c 6f 6e 64 6f 6e 2c 20 55 4e 49 54 45 44 20 4b 49 4e 47 44 4f 4d 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 64 61 74 61 63 61 6d 70 2e 63 6f 2e 75 6b 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 41 62 75 73 65 20 43 6f 6e 74 61 63 74 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 34 2e 31 37 2e 34 30 2e 30 2f 32 34 22 2c 0a 20 20 Data Ascii: }, "abuse": { "address": "Datacamp Limited, Zdenek Cendra, 207 Regent Street, W1B 3HH, London, UNITED KINGDOM", "country": "US", "email": "abuse@datacamp.co.uk", "name": "Abuse Contact", "network": "84.17.40.0/24",

Target ID:	0
Start time:	20:07:50
Start date:	06/05/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xf70000
File size:	3'188'736 bytes
MD5 hash:	51014F1C86736D8F91D432548062EBBF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2023815185.0000000001CEC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1907164226.0000000001CE6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2023815185.0000000001C7E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	20:07:52
Start date:	06/05/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0xeb0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	20:07:53
Start date:	06/05/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x2e0000
File size:	3'188'736 bytes
MD5 hash:	51014F1C86736D8F91D432548062EBBF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000002.2173403489.0000000001838000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000003.2110910326.0000000001838000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.2173403489.00000000017DE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000002.2173403489.000000000174D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 39%, ReversingLabs Detection: 40%, Virustotal, Browse
Reputation:	low
Has exited:	true

Target ID:	7
Start time:	20:08:00
Start date:	06/05/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x610000
File size:	3'188'736 bytes
MD5 hash:	51014F1C86736D8F91D432548062EBBF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000002.2022464307.000000000191E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000002.2022464307.00000000019F4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 39%, ReversingLabs Detection: 40%, Virustotal, Browse
Reputation:	low
Has exited:	true

Target ID:	8
Start time:	20:08:08
Start date:	06/05/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x610000
File size:	3'188'736 bytes
MD5 hash:	51014F1C86736D8F91D432548062EBBF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2015798047.00000000019D2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000002.2015798047.0000000001A18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000002.2015798047.0000000001938000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Target ID:	12
Start time:	20:08:16
Start date:	06/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7672 -s 1944
Imagebase:	0x530000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	16
Start time:	20:08:19
Start date:	06/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7784 -s 1908
Imagebase:	0x530000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_f22e2bf49a32bf74f5adbe8cba848017948e65f7_0010bad0_640263cb-49b4-41b7-b487-4b818315d5ea\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_d8cfe4b0b9575b2ab71f14e55e4d6484872cb94_df5fde7b_aa9d6a92-8d2d-4559-99fe-1b134b7dfc56\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RageMP131.exe_d8cfe4b0b9575b2ab71f14e55e4d6484872cb94_df5fde7b_f3afe759-c551-431a-a54b-014b05a40ae0\Report.wer

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_751fa919568148cae58711204775ef674bafd71f_50e30abd_2c1d9ae0-1b69-4126-ae64-d738448a55b5\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER144F.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER16F0.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER172F.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER220B.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2333.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2334.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER2364.tmp.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER242E.tmp.WERInternalMetadata.xml

Windows Analysis Report
file.exe

Target ID:	18
Start time:	20:08:20
Start date:	06/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7428 -s 1980
Imagebase:	0x530000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	20
Start time:	20:08:43
Start date:	06/05/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7584 -s 1960
Imagebase:	0x530000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Execution Coverage:	23.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	41.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	43

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre