Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1434626
MD5: 2bfbd889530f526aa6833886723e7fae
SHA1: 736e9f9229d6824ceb0e698debfa91244be827c1
SHA256: 9373eeeb7d7a9c065afb641da6689c9d1982e949f6b6e5d7d228fbee397b83f0
Tags: exe
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://193.233.132.167/cost/lenin.exe URL Reputation: Label: malware
Source: http://193.233.132.167/cost/lenin.exeser Avira URL Cloud: Label: phishing
Source: http://193.233.132.167/cost/lenin.exe%&it Avira URL Cloud: Label: phishing
Source: http://147.45.47.102:57893/hera/amadka.exe Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/go.exe Avira URL Cloud: Label: malware
Source: http://193.233.132.167/cost/lenin.exeer Avira URL Cloud: Label: phishing
Source: http://193.233.132.167/cost/go.exedka.exe Avira URL Cloud: Label: phishing
Source: http://193.233.132.167/cost/go.exe6 Avira URL Cloud: Label: phishing
Source: http://193.233.132.167/cost/lenin.exepro_bot Avira URL Cloud: Label: phishing
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Avira: detection malicious, Label: HEUR/AGEN.1306558
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Avira: detection malicious, Label: HEUR/AGEN.1306558
Multi AV Scanner detection for domain / URL
Source: http://193.233.132.167/cost/go.exe Virustotal: Detection: 24% Perma Link
Source: http://193.233.132.167/cost/lenin.exeer Virustotal: Detection: 23% Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exe68.0 Virustotal: Detection: 15% Perma Link
Source: http://193.233.132.167/cost/go.exedka.exe Virustotal: Detection: 25% Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exe Virustotal: Detection: 18% Perma Link
Source: http://193.233.132.167/cost/lenin.exepro_bot Virustotal: Detection: 24% Perma Link
Source: http://193.233.132.167/cost/go.exe6 Virustotal: Detection: 23% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 31%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Virustotal: Detection: 36% Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Virustotal: Detection: 36% Perma Link
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 31%
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00743EB0 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree, 0_2_00743EB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00183EB0 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree, 6_2_00183EB0
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49716 version: TLS 1.0
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.62.132:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.62.132:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.62.132:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.54.46.90:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.54.46.90:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.5:49756 version: TLS 1.2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0075D2B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007433B0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_007433B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00711A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA, 0_2_00711A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00763B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_00763B20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006B1F8C FindClose,FindFirstFileExW,GetLastError, 0_2_006B1F8C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006B2012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 0_2_006B2012
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007113F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_007113F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0019D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 6_2_0019D2B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001833B0 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose, 6_2_001833B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00151A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA, 6_2_00151A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001A3B20 CreateDirectoryA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 6_2_001A3B20

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49704 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49704
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49704
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49707
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49708
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49707
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49708
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49704 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49707 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49708 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49721
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49743
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49704 -> 147.45.47.93:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 104.26.5.15 104.26.5.15
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49716 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006980A0 recv, 0_2_006980A0
Source: global traffic HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=AuDPp+o8rNUxp4O&MD=AUm+UWnC HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlqHLAQiFoM0BCOnFzQEIucrNAQiK080BGI/OzQEYwtjNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /widget/demo/149.18.24.96 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=149.18.24.96 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=AuDPp+o8rNUxp4O&MD=AUm+UWnC HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: db-ip.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: unknown HTTP traffic detected: POST /threshold/xls.aspx HTTP/1.1Origin: https://www.bing.comReferer: https://www.bing.com/AS/API/WindowsCortanaPane/V2/InitAccept: */*Accept-Language: en-CHContent-type: text/xmlX-Agent-DeviceId: 01000A410900D492X-BM-CBT: 1696428841X-BM-DateFormat: dd/MM/yyyyX-BM-DeviceDimensions: 784x984X-BM-DeviceDimensionsLogical: 784x984X-BM-DeviceScale: 100X-BM-DTZ: 120X-BM-Market: CHX-BM-Theme: 000000;0078d7X-BM-WindowsFlights: FX:117B9872,FX:119E26AD,FX:11C0E96C,FX:11C6E5C2,FX:11C7EB6A,FX:11C9408A,FX:11C940DB,FX:11CB9A9F,FX:11CB9AC1,FX:11CC111C,FX:11D5BFCD,FX:11DF5B12,FX:11DF5B75,FX:1240931B,FX:124B38D0,FX:127FC878,FX:1283FFE8,FX:12840617,FX:128979F9,FX:128EBD7E,FX:129135BB,FX:129E053F,FX:12A74DB5,FX:12AB734D,FX:12B8450E,FX:12BD6E73,FX:12C3331B,FX:12C7D66EX-Device-ClientSession: DB0AFB19004F47BC80E5208C7478FF22X-Device-isOptin: falseX-Device-MachineId: {92C86F7C-DB2B-4F6A-95AD-98B4A2AE008A}X-Device-OSSKU: 48X-Device-Touch: falseX-DeviceID: 01000A410900D492X-MSEdge-ExternalExp: d-thshld39,d-thshld42,d-thshld77,d-thshld78,staticshX-MSEdge-ExternalExpType: JointCoordX-PositionerType: DesktopX-Search-AppId: Microsoft.Windows.Cortana_cw5n1h2txyewy!CortanaUIX-Search-CortanaAvailableCapabilities: NoneX-Search-SafeSearch: ModerateX-Search-TimeZone: Bias=-60; DaylightBias=-60; TimeZoneKeyName=W. Europe Standard TimeX-UserAgeClass: UnknownAccept-Encoding: gzip, deflate, brUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Cortana 1.14.7.19041; 10.0.0.0.19045.2006) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Edge/18.19045Host: www.bing.comContent-Length: 2484Connection: Keep-AliveCache-Control: no-cacheCookie: MUID=2F4E96DB8B7049E59AD4484C3C00F7CF; _SS=SID=1A6DEABB468B65843EB5F91B47916435&CPID=1714568142038&AC=1&CPH=d1a4eb75; _EDGE_S=SID=1A6DEABB468B65843EB5F91B47916435; SRCHUID=V=2&GUID=3D32B8AC657C4AD781A584E283227995&dmnchg=1; SRCHD=AF=NOFORM; SRCHUSR=DOB=20231004; SRCHHPGUSR=SRCHLANG=en&IPMH=986d886c&IPMID=1696428841029&HV=1696428756; CortanaAppUID=5A290E2CC4B523E2D8B5E2E3E4CB7CB7; MUIDB=2F4E96DB8B7049E59AD4484C3C00F7CF
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2159144547.0000000001452000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: MPGPH131.exe, 00000007.00000002.2159144547.0000000001452000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe68.0
Source: MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe68.0ypM
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2159144547.0000000001452000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe
Source: MPGPH131.exe, 00000007.00000002.2159144547.0000000001452000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exe6
Source: MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/go.exedka.exe
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2159144547.0000000001452000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe
Source: MPGPH131.exe, 00000007.00000002.2159144547.0000000001452000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exe%&it
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exeer
Source: MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exepro_bot
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.167/cost/lenin.exeser
Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Amcache.hve.12.dr String found in binary or memory: http://upx.sf.net
Source: chromecache_126.16.dr String found in binary or memory: http://www.broofa.com
Source: file.exe, 00000000.00000002.2384979224.0000000000681000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394332626.00000000000C1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2156726047.00000000000C1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293666295.00000000009C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2381931387.00000000009C1000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000003.2067327421.000000000195C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072177865.000000000195C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2065117612.0000000007A08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2171556764.00000000076CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2174358684.00000000076C6000.00000004.00000020.00020000.00000000.sdmp, IdK_yZmlaFHAWeb Data.6.dr, j44dHwFGO1_uWeb Data.0.dr, 7xvFXvFzglyOWeb Data.6.dr, tsgP7fT1HmuYWeb Data.0.dr, U3E4o6W1bd9oWeb Data.0.dr, SvJj67aG9W02Web Data.6.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: chromecache_132.16.dr String found in binary or memory: https://accounts.google.com/o/oauth2/auth
Source: chromecache_132.16.dr String found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
Source: chromecache_126.16.dr, chromecache_132.16.dr String found in binary or memory: https://apis.google.com
Source: file.exe, 00000000.00000003.2067327421.000000000195C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072177865.000000000195C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2065117612.0000000007A08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2171556764.00000000076CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2174358684.00000000076C6000.00000004.00000020.00020000.00000000.sdmp, IdK_yZmlaFHAWeb Data.6.dr, j44dHwFGO1_uWeb Data.0.dr, 7xvFXvFzglyOWeb Data.6.dr, tsgP7fT1HmuYWeb Data.0.dr, U3E4o6W1bd9oWeb Data.0.dr, SvJj67aG9W02Web Data.6.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2067327421.000000000195C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072177865.000000000195C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2065117612.0000000007A08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2171556764.00000000076CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2174358684.00000000076C6000.00000004.00000020.00020000.00000000.sdmp, IdK_yZmlaFHAWeb Data.6.dr, j44dHwFGO1_uWeb Data.0.dr, 7xvFXvFzglyOWeb Data.6.dr, tsgP7fT1HmuYWeb Data.0.dr, U3E4o6W1bd9oWeb Data.0.dr, SvJj67aG9W02Web Data.6.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2067327421.000000000195C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072177865.000000000195C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2065117612.0000000007A08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2171556764.00000000076CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2174358684.00000000076C6000.00000004.00000020.00020000.00000000.sdmp, IdK_yZmlaFHAWeb Data.6.dr, j44dHwFGO1_uWeb Data.0.dr, 7xvFXvFzglyOWeb Data.6.dr, tsgP7fT1HmuYWeb Data.0.dr, U3E4o6W1bd9oWeb Data.0.dr, SvJj67aG9W02Web Data.6.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: chromecache_132.16.dr String found in binary or memory: https://clients6.google.com
Source: chromecache_132.16.dr String found in binary or memory: https://content.googleapis.com
Source: chromecache_132.16.dr String found in binary or memory: https://csp.withgoogle.com/csp/lcreport/
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2294738509.0000000001C73000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: MPGPH131.exe, 00000007.00000002.2159144547.0000000001452000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/$#lt
Source: RageMP131.exe, 00000012.00000002.2383036911.0000000001BE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96
Source: RageMP131.exe, 00000009.00000002.2294738509.0000000001C65000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96.
Source: MPGPH131.exe, 00000007.00000002.2159144547.0000000001452000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.967&
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96Cybe
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96J
Source: MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96Wp
Source: RageMP131.exe, 00000012.00000002.2383036911.0000000001BE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96atacam
Source: MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96l
Source: MPGPH131.exe, 00000007.00000002.2159144547.0000000001452000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=149.18.24.96t
Source: MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/ms
Source: RageMP131.exe, 00000012.00000002.2383036911.0000000001BE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/y
Source: MPGPH131.exe, 00000006.00000002.2395988276.000000000160D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2159144547.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2294738509.0000000001C73000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2383036911.0000000001B57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=149.18.24.96
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=149.18.24.96?v
Source: chromecache_132.16.dr String found in binary or memory: https://domains.google.com/suggest/flow
Source: file.exe, 00000000.00000003.2067327421.000000000195C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072177865.000000000195C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2065117612.0000000007A08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2171556764.00000000076CD000.00000004.00000020.00020000.00000000.sdmp, IdK_yZmlaFHAWeb Data.6.dr, j44dHwFGO1_uWeb Data.0.dr, 7xvFXvFzglyOWeb Data.6.dr, tsgP7fT1HmuYWeb Data.0.dr, U3E4o6W1bd9oWeb Data.0.dr, SvJj67aG9W02Web Data.6.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2067327421.000000000195C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072177865.000000000195C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2065117612.0000000007A08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2171556764.00000000076CD000.00000004.00000020.00020000.00000000.sdmp, IdK_yZmlaFHAWeb Data.6.dr, j44dHwFGO1_uWeb Data.0.dr, 7xvFXvFzglyOWeb Data.6.dr, tsgP7fT1HmuYWeb Data.0.dr, U3E4o6W1bd9oWeb Data.0.dr, SvJj67aG9W02Web Data.6.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2067327421.000000000195C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072177865.000000000195C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2065117612.0000000007A08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2171556764.00000000076CD000.00000004.00000020.00020000.00000000.sdmp, IdK_yZmlaFHAWeb Data.6.dr, j44dHwFGO1_uWeb Data.0.dr, 7xvFXvFzglyOWeb Data.6.dr, tsgP7fT1HmuYWeb Data.0.dr, U3E4o6W1bd9oWeb Data.0.dr, SvJj67aG9W02Web Data.6.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: chromecache_126.16.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
Source: chromecache_126.16.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
Source: chromecache_126.16.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
Source: chromecache_126.16.dr String found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
Source: RageMP131.exe, 00000012.00000002.2383036911.0000000001BBA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2383036911.0000000001BE5000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2383036911.0000000001BD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: RageMP131.exe, 00000012.00000002.2383036911.0000000001B87000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/3(
Source: RageMP131.exe, 00000009.00000002.2294738509.0000000001BEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/F
Source: file.exe, 00000000.00000002.2386843694.0000000001881000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2159144547.0000000001447000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2294738509.0000000001C73000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2383036911.0000000001BD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: file.exe, 00000000.00000002.2384979224.0000000000681000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394332626.00000000000C1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2156726047.00000000000C1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293666295.00000000009C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2381931387.00000000009C1000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: file.exe, 00000000.00000002.2386843694.0000000001848000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/ons
Source: MPGPH131.exe, 00000006.00000002.2395988276.000000000163B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/s
Source: file.exe, 00000000.00000002.2386843694.000000000183A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2395988276.0000000001649000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2159144547.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2159144547.0000000001447000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2294738509.0000000001C73000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2294738509.0000000001C2B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2383036911.0000000001B91000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.96
Source: MPGPH131.exe, 00000007.00000002.2159144547.00000000013FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.96.
Source: RageMP131.exe, 00000012.00000002.2383036911.0000000001BD9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.961
Source: MPGPH131.exe, 00000006.00000002.2395988276.0000000001649000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.96LJu
Source: file.exe, 00000000.00000002.2386843694.0000000001881000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/149.18.24.96m
Source: file.exe, 00000000.00000002.2386843694.0000000001881000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2395988276.000000000160D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2159144547.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2294738509.0000000001C73000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2383036911.0000000001B57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/149.18.24.96
Source: chromecache_126.16.dr String found in binary or memory: https://play.google.com/log?format=json&hasfast=true
Source: chromecache_132.16.dr String found in binary or memory: https://plus.google.com
Source: chromecache_132.16.dr String found in binary or memory: https://plus.googleapis.com
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: RageMP131.exe, 00000012.00000002.2383036911.0000000001BE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t./
Source: RageMP131.exe, 00000009.00000002.2294738509.0000000001C73000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.B
Source: MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.D
Source: MPGPH131.exe, 00000007.00000002.2159144547.00000000013C7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2294738509.0000000001BEE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2383036911.0000000001B57000.00000004.00000020.00020000.00000000.sdmp, 2_C6p3QXcbFFG3yY8Vep02N.zip.6.dr, HtNUleLIfFhVUxnsVhhlEVf.zip.0.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000006.00000002.2397922316.0000000007670000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT_
Source: file.exe, 00000000.00000003.2112379303.00000000018E6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2386843694.00000000018E7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTi
Source: RageMP131.exe, 00000009.00000002.2294738509.0000000001C73000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2383036911.0000000001BE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro
Source: RageMP131.exe, 00000012.00000002.2383036911.0000000001BE5000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr, passwords.txt.6.dr String found in binary or memory: https://t.me/risepro_bot
Source: RageMP131.exe, 00000012.00000002.2383036911.0000000001BE5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot.96
Source: MPGPH131.exe, 00000007.00000002.2159144547.0000000001452000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot8&
Source: MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botbpf
Source: MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botepi
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botrisepro
Source: chromecache_132.16.dr String found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
Source: file.exe, 00000000.00000003.2067327421.000000000195C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072177865.000000000195C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2065117612.0000000007A08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2171556764.00000000076CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2174358684.00000000076C6000.00000004.00000020.00020000.00000000.sdmp, IdK_yZmlaFHAWeb Data.6.dr, j44dHwFGO1_uWeb Data.0.dr, 7xvFXvFzglyOWeb Data.6.dr, tsgP7fT1HmuYWeb Data.0.dr, U3E4o6W1bd9oWeb Data.0.dr, SvJj67aG9W02Web Data.6.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2067327421.000000000195C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072177865.000000000195C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2065117612.0000000007A08000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2171556764.00000000076CD000.00000004.00000020.00020000.00000000.sdmp, IdK_yZmlaFHAWeb Data.6.dr, j44dHwFGO1_uWeb Data.0.dr, 7xvFXvFzglyOWeb Data.6.dr, tsgP7fT1HmuYWeb Data.0.dr, U3E4o6W1bd9oWeb Data.0.dr, SvJj67aG9W02Web Data.6.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: chromecache_132.16.dr String found in binary or memory: https://www.googleapis.com/auth/plus.me
Source: chromecache_132.16.dr String found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
Source: chromecache_126.16.dr String found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
Source: chromecache_126.16.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
Source: chromecache_126.16.dr String found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
Source: file.exe, MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: MPGPH131.exe, 00000007.00000003.2149861557.0000000001504000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/2q
Source: file.exe, 00000000.00000003.2093561877.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2386843694.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2093271266.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2092866405.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2095796685.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072741838.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2112379303.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2095517525.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2065514411.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072330477.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073800048.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070569648.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2062743492.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2093910949.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094428520.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070217084.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2067530702.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068148874.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2064737389.0000000001942000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2168379046.00000000076B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2171993684.00000000076B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/U=D
Source: D87fZN3R3jFeplaces.sqlite.7.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2093561877.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2386843694.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2093271266.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2092866405.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2095796685.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072741838.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2112379303.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2095517525.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2065514411.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072330477.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073800048.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070569648.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2062743492.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2093910949.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094428520.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070217084.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2067530702.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068148874.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2064737389.0000000001942000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2168379046.00000000076B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2171993684.00000000076B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2159144547.00000000013FF000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2149861557.0000000001504000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: MPGPH131.exe, 00000007.00000002.2159144547.00000000013FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/6)
Source: MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ePq
Source: MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ex
Source: file.exe, 00000000.00000003.2093561877.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2386843694.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2093271266.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2092866405.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2095796685.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072741838.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2112379303.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2095517525.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2065514411.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072330477.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073800048.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070569648.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2062743492.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2093910949.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094428520.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070217084.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2067530702.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2068148874.0000000001942000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2064737389.0000000001942000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2168379046.00000000076B4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000003.2171993684.00000000076B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: MPGPH131.exe, 00000007.00000003.2149861557.0000000001504000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/i6
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/irefoxu
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ktop=
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49730 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.62.132:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.62.132:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49747 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.62.132:443 -> 192.168.2.5:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.54.46.90:443 -> 192.168.2.5:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.54.46.90:443 -> 192.168.2.5:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.114.59.183:443 -> 192.168.2.5:49756 version: TLS 1.2

System Summary
barindex
PE file has nameless sections
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006C001D 0_2_006C001D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00778080 0_2_00778080
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007161D0 0_2_007161D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075D2B0 0_2_0075D2B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075C3E0 0_2_0075C3E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FF730 0_2_006FF730
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075B7E0 0_2_0075B7E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0068B8E0 0_2_0068B8E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BC8D0 0_2_007BC8D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007549B0 0_2_007549B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00711A60 0_2_00711A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00718A80 0_2_00718A80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0071CBF0 0_2_0071CBF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00727D20 0_2_00727D20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00713ED0 0_2_00713ED0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0071AEC0 0_2_0071AEC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0070DF60 0_2_0070DF60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007B20C0 0_2_007B20C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C40A0 0_2_007C40A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C3160 0_2_007C3160
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00721130 0_2_00721130
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00702100 0_2_00702100
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006B7190 0_2_006B7190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007BF280 0_2_007BF280
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00770350 0_2_00770350
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006C035F 0_2_006C035F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006AF570 0_2_006AF570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006D47AD 0_2_006D47AD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006BC950 0_2_006BC950
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006BA918 0_2_006BA918
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006CDA74 0_2_006CDA74
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C5A40 0_2_007C5A40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007C4AE0 0_2_007C4AE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006D8BA0 0_2_006D8BA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00710BA0 0_2_00710BA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00764B90 0_2_00764B90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00721E40 0_2_00721E40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006D8E20 0_2_006D8E20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0076CFC0 0_2_0076CFC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0076BFC0 0_2_0076BFC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F7707C9 0_2_7F7707C9
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F770000 0_2_7F770000
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0010001D 6_2_0010001D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001B8080 6_2_001B8080
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001561D0 6_2_001561D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0019D2B0 6_2_0019D2B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0019C3E0 6_2_0019C3E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0013F730 6_2_0013F730
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0019B7E0 6_2_0019B7E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001FC8D0 6_2_001FC8D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_000CB8E0 6_2_000CB8E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001949B0 6_2_001949B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00151A60 6_2_00151A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00158A80 6_2_00158A80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0015CBF0 6_2_0015CBF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00167D20 6_2_00167D20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00153ED0 6_2_00153ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_7F0607C9 6_2_7F0607C9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_7F060000 6_2_7F060000
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 0069ACE0 appears 86 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 000DACE0 appears 57 times
One or more processes crash
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 1988
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.2385274736.0000000000824000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9997602301790282
Source: file.exe Static PE information: Section: ZLIB complexity 0.9934290213178295
Source: file.exe Static PE information: Section: ZLIB complexity 0.99267578125
Source: file.exe Static PE information: Section: ZLIB complexity 1.0006510416666667
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9997602301790282
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9934290213178295
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.99267578125
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 1.0006510416666667
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9997602301790282
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9934290213178295
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.99267578125
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 1.0006510416666667
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@29/78@6/7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0075D2B0
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1560:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess4760
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5712
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000002.2384979224.0000000000681000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394332626.00000000000C1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2156726047.00000000000C1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293666295.00000000009C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2381931387.00000000009C1000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2384979224.0000000000681000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394332626.00000000000C1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2156726047.00000000000C1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293666295.00000000009C1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2381931387.00000000009C1000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000003.2073693742.000000000194D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2064687733.00000000079F5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2062743492.00000000018F6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2074036440.0000000001945000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2065514411.00000000018F6000.00000004.00000020.00020000.00000000.sdmp, Fuz6d05rd5d_Login Data For Account.0.dr, QG6LiMOk_890Login Data For Account.6.dr, BIpsYmuYT2AYLogin Data.6.dr, KQfwLD90xfy2Login Data.0.dr, x1tQOcIn67slLogin Data.0.dr, Bz3MXLi1DqouLogin Data.6.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 31%
Source: file.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 1988
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=2008,i,7110459155309458570,504723634449211635,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 4760 -s 1968
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 --field-trial-handle=2008,i,7110459155309458570,504723634449211635,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: Slides.lnk.14.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.14.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Google Drive.lnk.14.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.14.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.14.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.14.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: file.exe Static file information: File size 3218432 > 1048576
Source: file.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x22ac00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.680000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.c0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 7.2.MPGPH131.exe.c0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 9.2.RageMP131.exe.9c0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 18.2.RageMP131.exe.9c0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0074C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_0074C630
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006B3F49 push ecx; ret 0_2_006B3F5C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F771F75 push 7F770002h; ret 0_2_7F771F7F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F771765 push 7F770002h; ret 0_2_7F77176F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F770F55 push 7F770002h; ret 0_2_7F770F5F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F772755 push 7F770002h; ret 0_2_7F77275F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F771F45 push 7F770002h; ret 0_2_7F771F4F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F771735 push 7F770002h; ret 0_2_7F77173F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F770F25 push 7F770002h; ret 0_2_7F770F2F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F772725 push 7F770002h; ret 0_2_7F77272F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F771F15 push 7F770002h; ret 0_2_7F771F1F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F771705 push 7F770002h; ret 0_2_7F77170F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F7717F5 push 7F770002h; ret 0_2_7F7717FF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F770FE5 push 7F770002h; ret 0_2_7F770FEF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F7727E5 push 7F770002h; ret 0_2_7F7727EF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F771FD5 push 7F770002h; ret 0_2_7F771FDF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F7717C5 push 7F770002h; ret 0_2_7F7717CF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F7707C9 push esi; mov dword ptr [esp], esi 0_2_7F770603
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F7707C9 push edi; mov dword ptr [esp], edx 0_2_7F77068B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F7707C9 push ebx; mov dword ptr [esp], ebx 0_2_7F7708CC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F770FB5 push 7F770002h; ret 0_2_7F770FBF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F7727B5 push 7F770002h; ret 0_2_7F7727BF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F771FA5 push 7F770002h; ret 0_2_7F771FAF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F771795 push 7F770002h; ret 0_2_7F77179F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F770F85 push 7F770002h; ret 0_2_7F770F8F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F772785 push 7F770002h; ret 0_2_7F77278F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F771675 push 7F770002h; ret 0_2_7F77167F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F770E65 push 7F770002h; ret 0_2_7F770E6F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F772665 push 7F770002h; ret 0_2_7F77266F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F771E55 push 7F770002h; ret 0_2_7F771E5F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F771645 push 7F770002h; ret 0_2_7F77164F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_7F770E35 push 7F770002h; ret 0_2_7F770E3F
Source: file.exe Static PE information: section name: entropy: 7.9995848976394885
Source: file.exe Static PE information: section name: entropy: 7.990391614205457
Source: file.exe Static PE information: section name: entropy: 7.815402518383047
Source: file.exe Static PE information: section name: entropy: 7.992650220801751
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.9995848976394885
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.990391614205457
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.815402518383047
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.992650220801751
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.9995848976394885
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.990391614205457
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.815402518383047
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.992650220801751
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\file.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Stalling execution: Execution stalls by calling Sleep
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 766 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 465 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 691
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\file.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 5788 Thread sleep count: 766 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1992 Thread sleep count: 465 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1992 Thread sleep count: 59 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3224 Thread sleep count: 62 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6664 Thread sleep count: 257 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6664 Thread sleep count: 691 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6664 Thread sleep count: 121 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7360 Thread sleep count: 64 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7360 Thread sleep count: 88 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\file.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0075D2B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007433B0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_007433B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00711A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA, 0_2_00711A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00763B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_00763B20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006B1F8C FindClose,FindFirstFileExW,GetLastError, 0_2_006B1F8C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006B2012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 0_2_006B2012
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007113F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_007113F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_0019D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 6_2_0019D2B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001833B0 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose, 6_2_001833B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00151A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA, 6_2_00151A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_001A3B20 CreateDirectoryA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 6_2_001A3B20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0075D2B0
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, 00000006.00000003.2200909253.00000000076B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: formVMware20,11696428655
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: MPGPH131.exe, 00000006.00000003.2200909253.00000000076B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ccount.microsoft.com/profileVMware20,11696428655u
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000003.2092342342.0000000001947000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.12.dr Binary or memory string: vmci.sys
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: vmware
Source: file.exe, 00000000.00000003.2092342342.0000000001947000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ebrokers.co.inVMware20,11696428655d
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: Amcache.hve.12.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000003.2012551318.0000000001870000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: discord.comVMware20,11696428655f
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: MPGPH131.exe, 00000006.00000003.2200909253.00000000076B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: Amcache.hve.12.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MPGPH131.exe, 00000006.00000003.2200909253.00000000076B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696h)l
Source: MPGPH131.exe, 00000006.00000003.2200909253.00000000076B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000003.2092342342.0000000001947000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: billing_address_id.comVMware20,11696428x'
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: Amcache.hve.12.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: MPGPH131.exe, 00000006.00000002.2395988276.000000000163B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000f
Source: RageMP131.exe, 00000012.00000003.2298831611.0000000001BC4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b};
Source: Amcache.hve.12.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: Amcache.hve.12.dr Binary or memory string: vmci.syshbin`
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000957000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000397000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000397000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000C97000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000C97000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Hyper-V
Source: Amcache.hve.12.dr Binary or memory string: VMware
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2386843694.000000000185D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2159144547.000000000141E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2159144547.0000000001452000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2294738509.0000000001C73000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.2294738509.0000000001C4C000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000012.00000002.2383036911.0000000001BE5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: RageMP131.exe, 00000009.00000003.2212092354.0000000001C5E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.12.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: MPGPH131.exe, 00000006.00000003.2200909253.00000000076B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,1169642865
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.12.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.12.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: MPGPH131.exe, 00000006.00000003.2200909253.00000000076B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ra Change Transaction PasswordVMware20,11696428655
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.12.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: Amcache.hve.12.dr Binary or memory string: vmci.syshbin
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: Amcache.hve.12.dr Binary or memory string: VMware, Inc.
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: Amcache.hve.12.dr Binary or memory string: VMware20,1hbin@
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: xVBoxService.exe
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: Amcache.hve.12.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, 00000006.00000003.2057866974.000000000167D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}t#}
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: VMWare
Source: Amcache.hve.12.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWs
Source: MPGPH131.exe, 00000006.00000003.2204900291.00000000076CB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_CA5832A0
Source: MPGPH131.exe, 00000006.00000003.2200909253.00000000076B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696428655
Source: RageMP131.exe, 00000012.00000002.2383036911.0000000001BB2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: MPGPH131.exe, 00000006.00000003.2200909253.00000000076B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r global passwords blocklistVMware20,11696428655
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.12.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.12.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: MPGPH131.exe, 00000007.00000002.2159144547.000000000141E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000D
Source: Amcache.hve.12.dr Binary or memory string: VMware Virtual RAM
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, 00000006.00000002.2395988276.000000000166B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWX:j
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.12.dr Binary or memory string: VMware Virtual USB Mouse
Source: file.exe, 00000000.00000002.2386843694.0000000001866000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: MPGPH131.exe, 00000006.00000002.2395988276.0000000001677000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}u&u
Source: RageMP131.exe, 00000012.00000002.2383036911.0000000001BBA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}icrosoft Enhanced RSA and AES Cryptographic Provider
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Hyper-V (guest)
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: file.exe, 00000000.00000003.2092342342.0000000001947000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s.portal.azure.comVMware20,11696428655
Source: MPGPH131.exe, 00000006.00000003.2200909253.00000000076B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rootpagecomVMware20,11696428655o
Source: MPGPH131.exe, 00000006.00000002.2395988276.000000000166B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000V"}3vc
Source: Amcache.hve.12.dr Binary or memory string: \driver\vmci,\driver\pci
Source: MPGPH131.exe, 00000006.00000003.2200909253.00000000076B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pageformVMware20,11696428655
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000957000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000397000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000397000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000C97000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000C97000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: ~VirtualMachineTypes
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_CA5832A0T
Source: file.exe, 00000000.00000002.2385401815.0000000000957000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000397000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000397000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000C97000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000C97000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: file.exe, 00000000.00000003.2092342342.0000000001947000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .utiitsl.comVMware20,1169642865
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}=
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: global block list test formVMware20,11696428655
Source: file.exe, 00000000.00000002.2386843694.000000000185D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: Amcache.hve.12.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, 00000007.00000002.2159144547.0000000001434000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000003.2092342342.0000000001947000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nickname.utiitsl.comVMware20,1169642865
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: MPGPH131.exe, 00000006.00000003.2207488810.00000000016FD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\
Source: Amcache.hve.12.dr Binary or memory string: VMware20,1
Source: Amcache.hve.12.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.12.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.12.dr Binary or memory string: VMware VMCI Bus Device
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, 00000006.00000003.2200909253.00000000076B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: o.inVMware20,11696428655~
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: Amcache.hve.12.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: MPGPH131.exe, 00000006.00000003.2200909253.00000000076B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696428655
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: pT7TyWFkl2bLWeb Data.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: MPGPH131.exe, 00000006.00000003.2200909253.00000000076B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: comVMware20,11696428655o
Source: Amcache.hve.12.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}A_f
Source: RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: VBoxService.exe
Source: Amcache.hve.12.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, 00000006.00000003.2200909253.00000000076B5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tive Brokers - non-EU EuropeVMware20,11696428655
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: file.exe, file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: RageMP131.exe, 00000009.00000002.2294738509.0000000001C73000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWJ
Source: MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWL
Source: file.exe, 00000000.00000003.2092342342.0000000001947000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .comVMware20,11696428x'
Source: file.exe, 00000000.00000002.2385401815.0000000000827000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.2394702425.0000000000267000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.2157341546.0000000000267000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000009.00000002.2293882117.0000000000B67000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000012.00000002.2382176518.0000000000B67000.00000040.00000001.01000000.00000006.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: RageMP131.exe, 00000012.00000002.2383036911.0000000001B57000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006B8A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_006B8A54
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0074C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_0074C630
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00744130 mov eax, dword ptr fs:[00000030h] 0_2_00744130
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00711A60 mov eax, dword ptr fs:[00000030h] 0_2_00711A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00184130 mov eax, dword ptr fs:[00000030h] 6_2_00184130
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00151A60 mov eax, dword ptr fs:[00000030h] 6_2_00151A60
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00766E20 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree, 0_2_00766E20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006B450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_006B450D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006B8A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_006B8A54

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0074C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_0074C630
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0075D2B0
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_006CB1A3
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_006D31B8
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_006D32E1
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_006D33E7
Source: C:\Users\user\Desktop\file.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_006D34BD
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_006CB726
Source: C:\Users\user\Desktop\file.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_006D2B48
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_006D2D4D
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_006D2DF4
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_006D2E3F
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_006D2EDA
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_006D2F65
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 6_2_0019D2B0
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0075D2B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0075D2B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0075D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0075D2B0
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.12.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.12.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.12.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.12.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000006.00000002.2397922316.0000000007670000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2112379303.00000000018E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2386843694.00000000017FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2386843694.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2395988276.000000000160D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5712, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 4760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 2520, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 4956, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7356, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\2_C6p3QXcbFFG3yY8Vep02N.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\HtNUleLIfFhVUxnsVhhlEVf.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\*W
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\ElectronCash\wallets\*
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxx*
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallets
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\walletsJ`
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallets
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ethereum\walletsJ`
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets*
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*ly!
Source: MPGPH131.exe, 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\*W
Source: file.exe, 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000002.2386843694.000000000188D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2395988276.0000000001691000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5712, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 4760, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000006.00000002.2397922316.0000000007670000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2112379303.00000000018E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2386843694.00000000017FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2386843694.00000000018E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2395988276.000000000160D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5712, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 4760, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 2520, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 4956, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 7356, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\2_C6p3QXcbFFG3yY8Vep02N.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\HtNUleLIfFhVUxnsVhhlEVf.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1434626 Sample: file.exe Startdate: 01/05/2024 Architecture: WINDOWS Score: 100 42 ipinfo.io 2->42 44 db-ip.com 2->44 62 Snort IDS alert for network traffic 2->62 64 Multi AV Scanner detection for domain / URL 2->64 66 Antivirus detection for URL or domain 2->66 68 5 other signatures 2->68 8 file.exe 1 63 2->8         started        13 MPGPH131.exe 5 55 2->13         started        15 RageMP131.exe 2 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 46 147.45.47.93, 49704, 49707, 49708 FREE-NET-ASFREEnetEU Russian Federation 8->46 48 ipinfo.io 34.117.186.192, 443, 49705, 49709 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->48 50 db-ip.com 104.26.5.15, 443, 49706, 49711 CLOUDFLARENETUS United States 8->50 34 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->34 dropped 36 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->36 dropped 38 C:\Users\user\...\HtNUleLIfFhVUxnsVhhlEVf.zip, Zip 8->38 dropped 70 Detected unpacking (changes PE section rights) 8->70 72 Tries to steal Mail credentials (via file / registry access) 8->72 74 Found many strings related to Crypto-Wallets (likely being stolen) 8->74 86 2 other signatures 8->86 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        23 WerFault.exe 8->23         started        40 C:\Users\user\...\2_C6p3QXcbFFG3yY8Vep02N.zip, Zip 13->40 dropped 76 Antivirus detection for dropped file 13->76 78 Multi AV Scanner detection for dropped file 13->78 80 Found stalling execution ending in API Sleep call 13->80 25 WerFault.exe 13->25         started        82 Hides threads from debuggers 15->82 52 192.168.2.5, 443, 49703, 49704 unknown unknown 17->52 54 239.255.255.250 unknown Reserved 17->54 84 Tries to harvest and steal browser information (history, passwords, etc) 17->84 27 chrome.exe 17->27         started        file6 signatures7 process8 dnsIp9 30 conhost.exe 19->30         started        32 conhost.exe 21->32         started        56 plus.l.google.com 142.251.111.100, 443, 49737 GOOGLEUS United States 27->56 58 www.google.com 172.253.63.105, 443, 49727, 49729 GOOGLEUS United States 27->58 60 apis.google.com 27->60 process10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
142.251.111.100
 plus.l.google.com United States
15169 GOOGLEUS false
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false
172.253.63.105
 www.google.com United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
147.45.47.93
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true

Private

IP
192.168.2.5

Contacted Domains

Name IP Active
plus.l.google.com 142.251.111.100 true
ipinfo.io 34.117.186.192 true
www.google.com 172.253.63.105 true
db-ip.com 104.26.5.15 true
apis.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
    		high
    https://db-ip.com/demo/home.php?s=149.18.24.96 false
      		high
      https://www.google.com/async/newtab_promos false
        		high
        https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
          		high
          https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.SCWmpDDGjPk.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAC/rs=AHpOoo_Pl64J0IIHlj2zBtEJ3ZwdaJC3HA/cb=gapi.loaded_0 false
            		high
            https://ipinfo.io/widget/demo/149.18.24.96 false
              		high