Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe
Analysis ID: 1435113
MD5: 6bf87e7f53315e6a41de8e99b6702341
SHA1: 125a7d887df3d2ab6f09e87d7c0ffc883eeea35b
SHA256: 7cf9c3f092afee2ba38d660aa59e263b329ecc899e583660cd3b59fcd29f9a02
Tags: exe
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found stalling execution ending in API Sleep call
Hides threads from debuggers
PE file has nameless sections
Uses schtasks.exe or at.exe to add and modify task schedules
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Avira: detection malicious, Label: HEUR/AGEN.1306558
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Avira: detection malicious, Label: HEUR/AGEN.1306558
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 50%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Virustotal: Detection: 51% Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Virustotal: Detection: 51% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Virustotal: Detection: 51% Perma Link
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe ReversingLabs: Detection: 50%
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_00092012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 0_2_00092012
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_00143B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_00143B20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_000F13F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_000F13F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_000F1680 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrlen,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlen,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlen,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlen,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,lstrlen, 0_2_000F1680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_00091F8C FindClose,FindFirstFileExW,GetLastError, 0_2_00091F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F01F8C FindClose,FindFirstFileExW,GetLastError, 6_2_00F01F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F01F8C FindClose,FindFirstFileExW,GetLastError, 7_2_00F01F8C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00801F8C FindClose,FindFirstFileExW,GetLastError, 8_2_00801F8C

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49705 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49705
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49705 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49706
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49707
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49705
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49706 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49707 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49706
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49707
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49716
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49716 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49721
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49721 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49716
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49721
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 147.45.47.93:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 147.45.47.93 147.45.47.93
Source: Joe Sandbox View IP Address: 104.26.5.15 104.26.5.15
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_00125940 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,FreeAddrInfoW,WSACleanup,FreeAddrInfoW, 0_2_00125940
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.150.225 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.150.225 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: db-ip.com
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr String found in binary or memory: http://pki-ocsp.symauth.com0
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3549725655.00000000007D1000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 00000008.00000002.3552009163.0000000001BC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/6K
Source: MPGPH131.exe, 00000006.00000002.3549743484.0000000000840000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/Gf
Source: RageMP131.exe, 00000008.00000002.3552009163.0000000001BC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225
Source: RageMP131.exe, 00000008.00000002.3552009163.0000000001BBC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225(
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.2251
Source: RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225c
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225le
Source: RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225leM
Source: MPGPH131.exe, 00000007.00000002.3551704658.0000000001BC2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2881018682.0000000001BC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225sstD24
Source: MPGPH131.exe, 00000007.00000002.3551704658.0000000001BC2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2881018682.0000000001BC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225t
Source: MPGPH131.exe, 00000007.00000002.3551704658.0000000001BC2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2881018682.0000000001BC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.150.225u
Source: MPGPH131.exe, 00000006.00000002.3549743484.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3551189307.0000000001B5B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3552009163.0000000001BC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001AA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.150.225P
Source: RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3549743484.0000000000840000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3551704658.0000000001BC2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2881018682.0000000001BC1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3552009163.0000000001BC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: RageMP131.exe, 00000008.00000002.3552009163.0000000001B6D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/N
Source: MPGPH131.exe, 00000006.00000002.3549743484.00000000007BD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/X
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3549725655.00000000007D1000.00000040.00000001.01000000.00000005.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001319000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3549743484.00000000007F9000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3551189307.0000000001B70000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3551189307.0000000001BB8000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2881296394.0000000001BB8000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3552009163.0000000001BC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3552009163.0000000001B7B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001AE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225
Source: RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225$
Source: MPGPH131.exe, 00000006.00000002.3549743484.0000000000840000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.150.225Ly
Source: MPGPH131.exe, 00000006.00000002.3549743484.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001AA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225
Source: RageMP131.exe, 00000008.00000002.3552009163.0000000001BC6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225&
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.2256
Source: MPGPH131.exe, 00000007.00000002.3551189307.0000000001B5B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.150.225e
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.R
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.00000000012DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3549743484.00000000007BD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3551189307.0000000001B37000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3552009163.0000000001B3E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001AA7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000007.00000002.3551704658.0000000001BC2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro
Source: MPGPH131.exe, 00000007.00000002.3551704658.0000000001BC2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3551189307.0000000001BAD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot
Source: MPGPH131.exe, 00000006.00000002.3549743484.0000000000840000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botQ=
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3552227478.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000003.3012779154.00000000013A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botrisepro
Source: MPGPH131.exe, RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49723 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49726 version: TLS 1.2

System Summary
barindex
PE file has nameless sections
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_00158080 0_2_00158080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_001A40A0 0_2_001A40A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_0019C8D0 0_2_0019C8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_001920C0 0_2_001920C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_0009A918 0_2_0009A918
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_00101130 0_2_00101130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_0009C950 0_2_0009C950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_001A3160 0_2_001A3160
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_00097190 0_2_00097190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_001A5A40 0_2_001A5A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_000ADA74 0_2_000ADA74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_0019F280 0_2_0019F280
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_001A4AE0 0_2_001A4AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_00150350 0_2_00150350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_000A035F 0_2_000A035F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_00144B90 0_2_00144B90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_000B8BA0 0_2_000B8BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_000F0BA0 0_2_000F0BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_0008F570 0_2_0008F570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_000B25FE 0_2_000B25FE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_000B8E20 0_2_000B8E20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_00101E40 0_2_00101E40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_000F1680 0_2_000F1680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_000B47AD 0_2_000B47AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_0014CFC0 0_2_0014CFC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_0014BFC0 0_2_0014BFC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A06DA 0_2_7F5A06DA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A0000 0_2_7F5A0000
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F07190 6_2_00F07190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F0C950 6_2_00F0C950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F0A918 6_2_00F0A918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F1DA74 6_2_00F1DA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F28BA0 6_2_00F28BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FC0350 6_2_00FC0350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F1035F 6_2_00F1035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F225FE 6_2_00F225FE
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00EFF570 6_2_00EFF570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00FBCFC0 6_2_00FBCFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F247AD 6_2_00F247AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_7F8C06DA 6_2_7F8C06DA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_7F8C0000 6_2_7F8C0000
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F07190 7_2_00F07190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F0C950 7_2_00F0C950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F0A918 7_2_00F0A918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F1DA74 7_2_00F1DA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F28BA0 7_2_00F28BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00FC0350 7_2_00FC0350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F1035F 7_2_00F1035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F225FE 7_2_00F225FE
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00EFF570 7_2_00EFF570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00FBCFC0 7_2_00FBCFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F247AD 7_2_00F247AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_7ECD06DA 7_2_7ECD06DA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_7ECD0000 7_2_7ECD0000
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00807190 8_2_00807190
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0080A918 8_2_0080A918
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0080C950 8_2_0080C950
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0081DA74 8_2_0081DA74
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00828BA0 8_2_00828BA0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_008C0350 8_2_008C0350
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0081035F 8_2_0081035F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_007FF570 8_2_007FF570
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_008225FE 8_2_008225FE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_008247AD 8_2_008247AD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_008BCFC0 8_2_008BCFC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_7F0906DA 8_2_7F0906DA
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_7F090000 8_2_7F090000
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: String function: 0007ACE0 appears 40 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 00F04370 appears 48 times
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3549870958.0000000000204000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: Section: ZLIB complexity 0.999750239769821
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: Section: ZLIB complexity 0.9934138808139535
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: Section: ZLIB complexity 0.9931640625
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: Section: ZLIB complexity 1.0006510416666667
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.999750239769821
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9934138808139535
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9931640625
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 1.0006510416666667
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.999750239769821
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9934138808139535
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9931640625
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 1.0006510416666667
Source: classification engine Classification label: mal100.troj.evad.winEXE@11/5@3/3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_00144B90 CopyFileA,GetLastError,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,Process32Next,CloseHandle, 0_2_00144B90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5880:120:WilError_03
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3549725655.00000000007D1000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3549484223.0000000000061000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3550635218.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3549710928.0000000000ED1000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3549517968.00000000007D1000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3549725655.00000000007D1000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Virustotal: Detection: 51%
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe ReversingLabs: Detection: 50%
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll Jump to behavior
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static file information: File size 3219456 > 1048576
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x22b000

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Unpacked PE file: 0.2.SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe.60000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 6.2.MPGPH131.exe.ed0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 7.2.MPGPH131.exe.ed0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 8.2.RageMP131.exe.7d0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 10.2.RageMP131.exe.7d0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_0012C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_0012C630
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_00093F49 push ecx; ret 0_2_00093F5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A0F50 push 7F5A0002h; ret 0_2_7F5A0F5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A2750 push 7F5A0002h; ret 0_2_7F5A275F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A1F40 push 7F5A0002h; ret 0_2_7F5A1F4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A1F70 push 7F5A0002h; ret 0_2_7F5A1F7F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A1760 push 7F5A0002h; ret 0_2_7F5A176F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A1F10 push 7F5A0002h; ret 0_2_7F5A1F1F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A1700 push 7F5A0002h; ret 0_2_7F5A170F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A1730 push 7F5A0002h; ret 0_2_7F5A173F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A0F20 push 7F5A0002h; ret 0_2_7F5A0F2F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A2720 push 7F5A0002h; ret 0_2_7F5A272F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A1FD0 push 7F5A0002h; ret 0_2_7F5A1FDF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A17C0 push 7F5A0002h; ret 0_2_7F5A17CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A17F0 push 7F5A0002h; ret 0_2_7F5A17FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A0FE0 push 7F5A0002h; ret 0_2_7F5A0FEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A27E0 push 7F5A0002h; ret 0_2_7F5A27EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A1790 push 7F5A0002h; ret 0_2_7F5A179F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A0F80 push 7F5A0002h; ret 0_2_7F5A0F8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A2780 push 7F5A0002h; ret 0_2_7F5A278F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A0FB0 push 7F5A0002h; ret 0_2_7F5A0FBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A27B0 push 7F5A0002h; ret 0_2_7F5A27BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A1FA0 push 7F5A0002h; ret 0_2_7F5A1FAF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A1E50 push 7F5A0002h; ret 0_2_7F5A1E5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A1640 push 7F5A0002h; ret 0_2_7F5A164F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A1670 push 7F5A0002h; ret 0_2_7F5A167F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A0E60 push 7F5A0002h; ret 0_2_7F5A0E6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A2660 push 7F5A0002h; ret 0_2_7F5A266F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A1610 push 7F5A0002h; ret 0_2_7F5A161F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A0E00 push 7F5A0002h; ret 0_2_7F5A0E0F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A2600 push 7F5A0002h; ret 0_2_7F5A260F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A0E30 push 7F5A0002h; ret 0_2_7F5A0E3F
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: section name: entropy: 7.999603691993064
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: section name: entropy: 7.991172527649386
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: section name: entropy: 7.81663229040033
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Static PE information: section name: entropy: 7.993404858996497
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.999603691993064
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.991172527649386
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.81663229040033
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.993404858996497
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.999603691993064
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.991172527649386
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.81663229040033
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.993404858996497
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Stalling execution: Execution stalls by calling Sleep
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Window / User API: threadDelayed 727 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Window / User API: threadDelayed 7866 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 8742 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Window / User API: threadDelayed 8977 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 552 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 4479 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 3891 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 425 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 4886 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 3934 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Window / User API: threadDelayed 495 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (date check)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe TID: 4296 Thread sleep count: 727 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe TID: 4296 Thread sleep count: 162 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe TID: 2468 Thread sleep count: 101 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe TID: 2468 Thread sleep time: -101000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe TID: 2232 Thread sleep count: 347 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe TID: 2232 Thread sleep time: -347000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe TID: 4296 Thread sleep count: 40 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe TID: 2232 Thread sleep count: 7866 > 30 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe TID: 2232 Thread sleep time: -7866000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe TID: 4296 Thread sleep count: 200 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1708 Thread sleep count: 266 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6392 Thread sleep count: 8742 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6392 Thread sleep time: -8742000s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5864 Thread sleep count: 125 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5864 Thread sleep time: -125000s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1708 Thread sleep count: 52 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1708 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1708 Thread sleep count: 244 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6720 Thread sleep count: 78 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1164 Thread sleep count: 8977 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1164 Thread sleep time: -8977000s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6156 Thread sleep count: 77 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6156 Thread sleep time: -77000s >= -30000s Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6720 Thread sleep count: 51 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6720 Thread sleep count: 36 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3092 Thread sleep count: 552 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3252 Thread sleep count: 4479 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3252 Thread sleep time: -4479000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 368 Thread sleep count: 3891 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 368 Thread sleep time: -3891000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3092 Thread sleep count: 45 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3092 Thread sleep count: 425 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3092 Thread sleep time: -42925s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5060 Thread sleep count: 4886 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5060 Thread sleep time: -4886000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1172 Thread sleep count: 3934 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1172 Thread sleep time: -3934000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5480 Thread sleep count: 495 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5480 Thread sleep time: -49995s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_00092012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 0_2_00092012
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_00143B20 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_00143B20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_000F13F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_000F13F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_000F1680 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrlen,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlen,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlen,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlen,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,lstrlen, 0_2_000F1680
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_00091F8C FindClose,FindFirstFileExW,GetLastError, 0_2_00091F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F01F8C FindClose,FindFirstFileExW,GetLastError, 6_2_00F01F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F01F8C FindClose,FindFirstFileExW,GetLastError, 7_2_00F01F8C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00801F8C FindClose,FindFirstFileExW,GetLastError, 8_2_00801F8C
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: RageMP131.exe, 00000008.00000002.3552009163.0000000001B99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: MPGPH131.exe, 00000006.00000003.2137786762.000000000082D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}E|
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, 00000007.00000002.3551189307.0000000001B62000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000+
Source: RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: vmware
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001347000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}#$_
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: RageMP131.exe, 0000000A.00000003.2295286562.0000000001B15000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, 00000006.00000002.3549743484.000000000081B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ~\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000g}
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.000000000133B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000X
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Hyper-V (guest)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000AA7000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: ~VirtualMachineTypes
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000AA7000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000337000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.00000000011A7000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.00000000011A7000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000AA7000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000AA7000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: RageMP131.exe, 0000000A.00000002.3551742424.0000000001AFF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}7
Source: RageMP131.exe, 00000008.00000002.3552009163.0000000001B6D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000T
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, 00000007.00000002.3551189307.0000000001B8F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.000000000133B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3549743484.0000000000840000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3549743484.000000000081B000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3551704658.0000000001BC2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3551189307.0000000001B8F000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.2881018682.0000000001BC1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3552009163.0000000001BC6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001AFF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3551742424.0000000001B26000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 0000000A.00000003.2295286562.0000000001B13000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: RageMP131.exe, 0000000A.00000002.3551742424.0000000001AFF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, 00000007.00000003.2137471360.0000000001BA5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}d
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: RageMP131.exe, 00000008.00000003.2242313224.0000000001BAD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Z
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: RageMP131.exe, 00000008.00000003.2242313224.0000000001BAD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}:;
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001347000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Via W
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: RageMP131.exe, 00000008.00000002.3552009163.0000000001BAB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b};3
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: xVBoxService.exe
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.000000000133B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: sik&ven_vmware&prod_vidi&1656f219&0&000000#{07f-11d0-94f2-00a0c91e
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: VBoxService.exe
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3551599762.0000000001361000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW[
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: VMWare
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: RageMP131.exe, 0000000A.00000002.3551742424.0000000001AA7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe, 00000000.00000002.3550003524.0000000000207000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3551206124.0000000001077000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3550023689.0000000001077000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3550040233.0000000000977000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3550171437.0000000000977000.00000040.00000001.01000000.00000005.sdmp Binary or memory string: #Windows 11 Microsoft Hyper-V Server

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_00098A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00098A54
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_0012C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_0012C630
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_000F1680 mov eax, dword ptr fs:[00000030h] 0_2_000F1680
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_00146E20 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree, 0_2_00146E20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_00098A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00098A54
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_0009450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_0009450D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F08A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00F08A54
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F0450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00F0450D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F08A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00F08A54
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F0450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_00F0450D
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_00808A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00808A54
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0080450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_0080450D

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_0012C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_0012C630
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 6_2_00F9C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 6_2_00F9C630
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00F9C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 7_2_00F9C630
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: 8_2_0089C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 8_2_0089C630
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: EnumSystemLocalesW, 0_2_000AB1A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: GetLocaleInfoW, 0_2_000B31B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_000B32E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_000B2B48
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: GetLocaleInfoW, 0_2_000B33E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_000B34BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: GetLocaleInfoW, 0_2_000B2D4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: EnumSystemLocalesW, 0_2_000B2DF4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: EnumSystemLocalesW, 0_2_000B2E3F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: EnumSystemLocalesW, 0_2_000B2EDA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: GetLocaleInfoW, 0_2_000AB726
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_000B2F65
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_00F231B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 6_2_00F1B1A3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 6_2_00F232E1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_00F233E7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 6_2_00F22B48
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 6_2_00F234BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 6_2_00F22DF4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_00F22D4D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 6_2_00F22EDA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 6_2_00F22E3F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 6_2_00F22F65
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 6_2_00F1B726
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 7_2_00F231B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 7_2_00F1B1A3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 7_2_00F232E1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 7_2_00F233E7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 7_2_00F22B48
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 7_2_00F234BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 7_2_00F22DF4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 7_2_00F22D4D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 7_2_00F22EDA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 7_2_00F22E3F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 7_2_00F22F65
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 7_2_00F1B726
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: EnumSystemLocalesW, 8_2_0081B1A3
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: GetLocaleInfoW, 8_2_008231B8
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 8_2_008232E1
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: GetLocaleInfoW, 8_2_008233E7
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 8_2_00822B48
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 8_2_008234BD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: EnumSystemLocalesW, 8_2_00822DF4
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: GetLocaleInfoW, 8_2_00822D4D
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: EnumSystemLocalesW, 8_2_00822EDA
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: EnumSystemLocalesW, 8_2_00822E3F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: GetLocaleInfoW, 8_2_0081B726
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 8_2_00822F65
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_0009360D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime, 0_2_0009360D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Code function: 0_2_7F5A1AC0 GetUserNameA, 0_2_7F5A1AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe PID: 5080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 1440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 2724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 5516, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe PID: 5080, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 1440, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6552, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 2724, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 5516, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435113 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 02/05/2024 Architecture: WINDOWS Score: 100 31 ipinfo.io 2->31 33 db-ip.com 2->33 41 Snort IDS alert for network traffic 2->41 43 Antivirus / Scanner detection for submitted sample 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 3 other signatures 2->47 8 SecuriteInfo.com.Win32.PWSX-gen.8803.13656.exe 1 9 2->8         started        13 MPGPH131.exe 2 2->13         started        15 RageMP131.exe 2 2->15         started        17 2 other processes 2->17 signatures3 process4 dnsIp5 35 147.45.47.93, 49705, 49706, 49707 FREE-NET-ASFREEnetEU Russian Federation 8->35 37 ipinfo.io 34.117.186.192, 443, 49708, 49710 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->37 39 db-ip.com 104.26.5.15, 443, 49709, 49712 CLOUDFLARENETUS United States 8->39 27 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->27 dropped 29 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->29 dropped 49 Detected unpacking (changes PE section rights) 8->49 51 Found stalling execution ending in API Sleep call 8->51 53 Contains functionality to inject threads in other processes 8->53 55 Uses schtasks.exe or at.exe to add and modify task schedules 8->55 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        57 Antivirus detection for dropped file 13->57 59 Multi AV Scanner detection for dropped file 13->59 61 Hides threads from debuggers 13->61 file6 signatures7 process8 process9 23 conhost.exe 19->23         started        25 conhost.exe 21->25         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
147.45.47.93
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
db-ip.com 104.26.5.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://db-ip.com/demo/home.php?s=191.96.150.225 false
    		high
    https://ipinfo.io/widget/demo/191.96.150.225 false
      		high