Windows Analysis Report file.exe

Snort IDS alert for network traffic

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49728 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00481F8C FindClose,FindFirstFileExW,GetLastError,	0_2_00481F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_015B4D7B FindFirstFileA,	6_2_015B4D7B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CC1F8C FindClose,FindFirstFileExW,GetLastError,	6_2_00CC1F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_015B4D7B FindFirstFileA,	7_2_015B4D7B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CC1F8C FindClose,FindFirstFileExW,GetLastError,	7_2_00CC1F8C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004B1F8C FindClose,FindFirstFileExW,GetLastError,	8_2_004B1F8C

Networking

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49704 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49704
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49704 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49706
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49705
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49706 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49705 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49715
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49715 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49716
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49716 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49704
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49706
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49705
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49715
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49716

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 147.45.47.93:58709

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 147.45.47.93 147.45.47.93
Source: Joe Sandbox View	IP Address: 104.26.4.15 104.26.4.15

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

May check the online IP address of the machine

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00515940 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,FreeAddrInfoW,WSACleanup,FreeAddrInfoW,

0_2_00515940

Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: MPGPH131.exe, 00000007.00000002.4626479867.0000000001D53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: file.exe, 00000000.00000002.4624289407.0000000000451000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624429088.0000000000C91000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4624681535.0000000000C91000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624369639.0000000000481000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4624659866.0000000000481000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000002.4626325451.00000000015F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.co
Source: MPGPH131.exe, 00000007.00000002.4626479867.0000000001D53000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4626006520.000000000140A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 00000008.00000002.4626006520.000000000140A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/M
Source: RageMP131.exe, 0000000A.00000002.4626904888.0000000001471000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219
Source: MPGPH131.exe, 00000007.00000002.4626479867.0000000001D53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219%
Source: file.exe, 00000000.00000002.4626325451.0000000001632000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219(
Source: MPGPH131.exe, 00000007.00000002.4626479867.0000000001D53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219/
Source: RageMP131.exe, 00000008.00000002.4626006520.000000000140A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.2197
Source: MPGPH131.exe, 00000006.00000002.4626578750.0000000001DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.2197g
Source: RageMP131.exe, 00000008.00000002.4626006520.000000000140A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219Bh
Source: MPGPH131.exe, 00000006.00000002.4626578750.0000000001DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219K
Source: MPGPH131.exe, 00000006.00000002.4626578750.0000000001DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219O
Source: RageMP131.exe, 00000008.00000002.4626006520.000000000140A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219m
Source: RageMP131.exe, 0000000A.00000002.4626904888.0000000001471000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/v
Source: MPGPH131.exe, 00000007.00000002.4626479867.0000000001CC7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4626363556.00000000013D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.227.219
Source: file.exe, 00000000.00000002.4626325451.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4626578750.0000000001DF1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4626006520.000000000140A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.227.219P
Source: RageMP131.exe, 0000000A.00000002.4626363556.000000000143D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4626904888.0000000001450000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4626904888.0000000001471000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: file.exe, 00000000.00000002.4626325451.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4626578750.0000000001DF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.4626479867.0000000001D49000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4626006520.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4626904888.0000000001450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: file.exe, 00000000.00000002.4624289407.0000000000451000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624429088.0000000000C91000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4624681535.0000000000C91000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624369639.0000000000481000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4624659866.0000000000481000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000006.00000002.4626578750.0000000001D6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/jX
Source: file.exe, 00000000.00000002.4626325451.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4626325451.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4626578750.0000000001DF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4626578750.0000000001DAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.4626479867.0000000001D01000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.4626479867.0000000001D49000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4626006520.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4626904888.000000000145A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4626363556.0000000001411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.219
Source: RageMP131.exe, 00000008.00000002.4626006520.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.219F
Source: MPGPH131.exe, 00000007.00000002.4626479867.0000000001D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.219u
Source: RageMP131.exe, 0000000A.00000002.4626363556.0000000001411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.219~r
Source: MPGPH131.exe, 00000006.00000002.4626578750.0000000001DF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.4626479867.0000000001CC7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4626006520.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4626363556.00000000013D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.227.219
Source: file.exe, 00000000.00000002.4626325451.00000000015F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.227.219_
Source: file.exe, 00000000.00000002.4626325451.000000000156E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4626578750.0000000001D6D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.4626479867.0000000001CC7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4626006520.000000000136E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4626363556.00000000013D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000006.00000002.4626578750.0000000001D6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTY
Source: RageMP131.exe, 0000000A.00000002.4626363556.00000000013D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTj
Source: RageMP131.exe, 00000008.00000002.4626006520.000000000136E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTq7
Source: MPGPH131.exe, RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49728 version: TLS 1.2

System Summary

PE file has nameless sections

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048C950	0_2_0048C950
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048A918	0_2_0048A918
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00487190	0_2_00487190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0049DA74	0_2_0049DA74
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00540350	0_2_00540350
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0049035F	0_2_0049035F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A8BA0	0_2_004A8BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047F570	0_2_0047F570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053CFC0	0_2_0053CFC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A47AD	0_2_004A47AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E0A14	0_2_7F6E0A14
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E0000	0_2_7F6E0000
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CC7190	6_2_00CC7190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CCC950	6_2_00CCC950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CCA918	6_2_00CCA918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CDDA74	6_2_00CDDA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CE8BA0	6_2_00CE8BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00D80350	6_2_00D80350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CD035F	6_2_00CD035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CBF570	6_2_00CBF570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00D7CFC0	6_2_00D7CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CE47AD	6_2_00CE47AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_7EE50A14	6_2_7EE50A14
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_7EE50000	6_2_7EE50000
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CC7190	7_2_00CC7190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CCC950	7_2_00CCC950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CCA918	7_2_00CCA918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CDDA74	7_2_00CDDA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CE8BA0	7_2_00CE8BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00D80350	7_2_00D80350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CD035F	7_2_00CD035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CBF570	7_2_00CBF570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00D7CFC0	7_2_00D7CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CE47AD	7_2_00CE47AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_7F890A14	7_2_7F890A14
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_7F890000	7_2_7F890000
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004BC950	8_2_004BC950
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004BA918	8_2_004BA918
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004B7190	8_2_004B7190
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004CDA74	8_2_004CDA74
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00570350	8_2_00570350
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004C035F	8_2_004C035F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004D8BA0	8_2_004D8BA0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004AF570	8_2_004AF570
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_0056CFC0	8_2_0056CFC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004D47AD	8_2_004D47AD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_7F570A14	8_2_7F570A14
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_7F570000	8_2_7F570000

Found potential string decryption / allocating functions

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Code function: String function: 00CC4370 appears 48 times

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000000.1966457296.00000000005F4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9997569000426257
Source: file.exe	Static PE information: Section: ZLIB complexity 0.9934290213178295
Source: file.exe	Static PE information: Section: ZLIB complexity 0.9931640625
Source: file.exe	Static PE information: Section: ZLIB complexity 1.0006510416666667
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9997569000426257
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9934290213178295
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9931640625
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0006510416666667
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9997569000426257
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9934290213178295
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9931640625
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0006510416666667

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/5@2/3

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\RageMP131

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3276:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: file.exe, 00000000.00000002.4624289407.0000000000451000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624429088.0000000000C91000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4624681535.0000000000C91000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624369639.0000000000481000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4624659866.0000000000481000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.4624289407.0000000000451000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624429088.0000000000C91000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4624681535.0000000000C91000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624369639.0000000000481000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4624659866.0000000000481000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: file.exe

ReversingLabs: Detection: 44%

Source: file.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Detected unpacking (changes PE section rights)

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 3112448 > 1048576

Source: file.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x210e00

Data Obfuscation

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.450000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 6.2.MPGPH131.exe.c90000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 7.2.MPGPH131.exe.c90000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 8.2.RageMP131.exe.480000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 10.2.RageMP131.exe.480000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0051C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .data

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00483F49 push ecx; ret	0_2_00483F5C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E0F60 push 7F6E0002h; ret	0_2_7F6E0F6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1B60 push 7F6E0002h; ret	0_2_7F6E1B6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E2760 push 7F6E0002h; ret	0_2_7F6E276F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E0B70 push 7F6E0002h; ret	0_2_7F6E0B7F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1770 push 7F6E0002h; ret	0_2_7F6E177F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E2370 push 7F6E0002h; ret	0_2_7F6E237F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E0B40 push 7F6E0002h; ret	0_2_7F6E0B4F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1740 push 7F6E0002h; ret	0_2_7F6E174F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E2340 push 7F6E0002h; ret	0_2_7F6E234F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1350 push 7F6E0002h; ret	0_2_7F6E135F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1F50 push 7F6E0002h; ret	0_2_7F6E1F5F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1320 push 7F6E0002h; ret	0_2_7F6E132F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1F20 push 7F6E0002h; ret	0_2_7F6E1F2F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E2B20 push 7F6E0002h; ret	0_2_7F6E2B2F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E0F30 push 7F6E0002h; ret	0_2_7F6E0F3F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1B30 push 7F6E0002h; ret	0_2_7F6E1B3F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E2730 push 7F6E0002h; ret	0_2_7F6E273F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E0F00 push 7F6E0002h; ret	0_2_7F6E0F0F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1B00 push 7F6E0002h; ret	0_2_7F6E1B0F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E2700 push 7F6E0002h; ret	0_2_7F6E270F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1710 push 7F6E0002h; ret	0_2_7F6E171F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E2310 push 7F6E0002h; ret	0_2_7F6E231F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E13E0 push 7F6E0002h; ret	0_2_7F6E13EF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1FE0 push 7F6E0002h; ret	0_2_7F6E1FEF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E0FF0 push 7F6E0002h; ret	0_2_7F6E0FFF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1BF0 push 7F6E0002h; ret	0_2_7F6E1BFF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E27F0 push 7F6E0002h; ret	0_2_7F6E27FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E0FC0 push 7F6E0002h; ret	0_2_7F6E0FCF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1BC0 push 7F6E0002h; ret	0_2_7F6E1BCF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E27C0 push 7F6E0002h; ret	0_2_7F6E27CF

Source: file.exe	Static PE information: section name: entropy: 7.999627958847489
Source: file.exe	Static PE information: section name: entropy: 7.990663948848052
Source: file.exe	Static PE information: section name: entropy: 7.821409236457194
Source: file.exe	Static PE information: section name: entropy: 7.9921972703023565
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.999627958847489
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.990663948848052
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.821409236457194
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.9921972703023565
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.999627958847489
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.990663948848052
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.821409236457194
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.9921972703023565

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\file.exe	Stalling execution: Execution stalls by calling Sleep
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Stalling execution: Execution stalls by calling Sleep

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 757	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 8083	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 4407	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 4197	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 354	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 4526	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 4069	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 8805	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 4684	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 4212	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 403	Jump to behavior

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\file.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found evasive API chain (date check)

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\file.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 4372	Thread sleep count: 757 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6380	Thread sleep count: 181 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6380	Thread sleep time: -181000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6976	Thread sleep count: 72 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6976	Thread sleep time: -72000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4372	Thread sleep count: 332 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4372	Thread sleep time: -33532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6380	Thread sleep count: 8083 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6380	Thread sleep time: -8083000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3716	Thread sleep count: 166 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3716	Thread sleep count: 169 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3192	Thread sleep count: 4407 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3192	Thread sleep time: -4407000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3716	Thread sleep count: 63 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3364	Thread sleep count: 4197 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3364	Thread sleep time: -4197000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3716	Thread sleep count: 354 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3716	Thread sleep time: -35754s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4696	Thread sleep count: 165 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4696	Thread sleep count: 146 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3356	Thread sleep count: 4526 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3356	Thread sleep time: -4526000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3808	Thread sleep count: 4069 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3808	Thread sleep time: -4069000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4696	Thread sleep count: 64 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4696	Thread sleep count: 320 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4696	Thread sleep time: -32320s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6692	Thread sleep count: 8805 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6692	Thread sleep time: -8805000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3160	Thread sleep count: 219 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3160	Thread sleep time: -219000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1656	Thread sleep count: 305 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1656	Thread sleep time: -30805s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3116	Thread sleep count: 4684 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3116	Thread sleep time: -4684000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3652	Thread sleep count: 4212 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3652	Thread sleep time: -4212000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2072	Thread sleep count: 403 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2072	Thread sleep time: -40703s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00481F8C FindClose,FindFirstFileExW,GetLastError,	0_2_00481F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_015B4D7B FindFirstFileA,	6_2_015B4D7B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CC1F8C FindClose,FindFirstFileExW,GetLastError,	6_2_00CC1F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_015B4D7B FindFirstFileA,	7_2_015B4D7B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CC1F8C FindClose,FindFirstFileExW,GetLastError,	7_2_00CC1F8C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004B1F8C FindClose,FindFirstFileExW,GetLastError,	8_2_004B1F8C

Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: RageMP131.exe, 00000008.00000002.4626006520.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, 00000007.00000002.4626479867.0000000001D35000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1U
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: vmware
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: RageMP131.exe, 0000000A.00000003.2255537072.000000000143B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 00000008.00000003.2196026520.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}L
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Hyper-V (guest)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000F67000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000757000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000757000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: RageMP131.exe, 00000008.00000002.4626006520.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000n
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000F67000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000757000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000757000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.4624855267.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000F67000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000F67000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000757000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000757000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: RageMP131.exe, 00000008.00000002.4626006520.000000000136E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000P
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, 00000007.00000002.4626479867.0000000001D1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.4626325451.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4626578750.0000000001DF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4626578750.0000000001DCB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.4626479867.0000000001D53000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4626006520.000000000140A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4626904888.0000000001471000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 0000000A.00000003.2255537072.0000000001443000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: RageMP131.exe, 00000008.00000003.2196026520.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}j
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, 00000007.00000003.2057416388.0000000001D35000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}A#T
Source: RageMP131.exe, 00000008.00000002.4626006520.00000000013D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}M
Source: file.exe, 00000000.00000003.2002858332.00000000015DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}N
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: xVBoxService.exe
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: VBoxService.exe
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: MPGPH131.exe, 00000007.00000002.4626479867.0000000001D1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.4626325451.00000000015C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(l`
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: RageMP131.exe, 0000000A.00000002.4626363556.0000000001431000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX)G
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: VMWare
Source: MPGPH131.exe, 00000006.00000002.4626578750.0000000001D6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000\|&z
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, 00000006.00000002.4626578750.0000000001DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWK
Source: RageMP131.exe, 00000008.00000002.4626006520.000000000140A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: RageMP131.exe, 0000000A.00000002.4626363556.00000000013D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: #Windows 11 Microsoft Hyper-V Server

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00488A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00488A54

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00488A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00488A54
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0048450D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CC8A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00CC8A54
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CC450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00CC450D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CC8A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00CC8A54
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CC450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00CC450D
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004B8A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_004B8A54
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004B450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_004B450D

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	0_2_0051C630
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00D5C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	6_2_00D5C630
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00D5C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	7_2_00D5C630
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_0054C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	8_2_0054C630

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_0049B1A3
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004A31B8
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_004A32E1
Source: C:\Users\user\Desktop\file.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_004A2B48
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004A33E7
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_004A34BD
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004A2D4D
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004A2DF4
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004A2E3F
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004A2EDA
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_004A2F65
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0049B726
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	6_2_00CDB1A3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	6_2_00CE31B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_00CE32E1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	6_2_00CE33E7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	6_2_00CE2B48
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoA,	6_2_015B4D69
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_00CE34BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	6_2_00CE2DF4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	6_2_00CE2D4D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	6_2_00CE2EDA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	6_2_00CE2E3F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_00CE2F65
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	6_2_00CDB726
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	7_2_00CDB1A3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	7_2_00CE31B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_00CE32E1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	7_2_00CE33E7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	7_2_00CE2B48
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoA,	7_2_015B4D69
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_00CE34BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	7_2_00CE2DF4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	7_2_00CE2D4D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	7_2_00CE2EDA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	7_2_00CE2E3F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_00CE2F65
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	7_2_00CDB726
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: EnumSystemLocalesW,	8_2_004CB1A3
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetLocaleInfoW,	8_2_004D31B8
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_004D32E1
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	8_2_004D2B48
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetLocaleInfoW,	8_2_004D33E7
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_004D34BD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetLocaleInfoW,	8_2_004D2D4D
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: EnumSystemLocalesW,	8_2_004D2DF4
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: EnumSystemLocalesW,	8_2_004D2E3F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: EnumSystemLocalesW,	8_2_004D2EDA
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_004D2F65
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetLocaleInfoW,	8_2_004CB726

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0048360D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_0048360D

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_7F6E1D70 GetUserNameA,

0_2_7F6E1D70

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: Process Memory Space: file.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 5060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 2320, type: MEMORYSTR

Remote Access Functionality

Antivirus / Scanner detection for submitted sample

Source: Yara match	File source: Process Memory Space: file.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 5060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 2320, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
147.45.47.93	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
104.26.4.15	db-ip.com	United States	13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
ipinfo.io	34.117.186.192	true
db-ip.com	104.26.4.15	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/widget/demo/191.96.227.219	false		high
https://db-ip.com/demo/home.php?s=191.96.227.219	false		high

AV Detection

Source: file.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Avira: detection malicious, Label: HEUR/AGEN.1306558
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Avira: detection malicious, Label: HEUR/AGEN.1306558

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 44%

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 44%

Snort IDS alert for network traffic

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49728 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00481F8C FindClose,FindFirstFileExW,GetLastError,	0_2_00481F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_015B4D7B FindFirstFileA,	6_2_015B4D7B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CC1F8C FindClose,FindFirstFileExW,GetLastError,	6_2_00CC1F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_015B4D7B FindFirstFileA,	7_2_015B4D7B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CC1F8C FindClose,FindFirstFileExW,GetLastError,	7_2_00CC1F8C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004B1F8C FindClose,FindFirstFileExW,GetLastError,	8_2_004B1F8C

Networking

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49704 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49704
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49704 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49706
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49705
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49706 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49705 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49715
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49715 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.5:49716
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49716 -> 147.45.47.93:58709
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49704
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49706
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49705
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49715
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.5:49716

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 147.45.47.93:58709

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 147.45.47.93 147.45.47.93
Source: Joe Sandbox View	IP Address: 104.26.4.15 104.26.4.15

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

May check the online IP address of the machine

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown	TCP traffic detected without corresponding DNS query: 147.45.47.93

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00515940 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,FreeAddrInfoW,WSACleanup,FreeAddrInfoW,

0_2_00515940

Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: file.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: MPGPH131.exe, 00000007.00000002.4626479867.0000000001D53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.microsoft.co
Source: file.exe, 00000000.00000002.4624289407.0000000000451000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624429088.0000000000C91000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4624681535.0000000000C91000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624369639.0000000000481000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4624659866.0000000000481000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000002.4626325451.00000000015F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.co
Source: MPGPH131.exe, 00000007.00000002.4626479867.0000000001D53000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4626006520.000000000140A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: RageMP131.exe, 00000008.00000002.4626006520.000000000140A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/M
Source: RageMP131.exe, 0000000A.00000002.4626904888.0000000001471000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219
Source: MPGPH131.exe, 00000007.00000002.4626479867.0000000001D53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219%
Source: file.exe, 00000000.00000002.4626325451.0000000001632000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219(
Source: MPGPH131.exe, 00000007.00000002.4626479867.0000000001D53000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219/
Source: RageMP131.exe, 00000008.00000002.4626006520.000000000140A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.2197
Source: MPGPH131.exe, 00000006.00000002.4626578750.0000000001DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.2197g
Source: RageMP131.exe, 00000008.00000002.4626006520.000000000140A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219Bh
Source: MPGPH131.exe, 00000006.00000002.4626578750.0000000001DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219K
Source: MPGPH131.exe, 00000006.00000002.4626578750.0000000001DF1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219O
Source: RageMP131.exe, 00000008.00000002.4626006520.000000000140A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219m
Source: RageMP131.exe, 0000000A.00000002.4626904888.0000000001471000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/v
Source: MPGPH131.exe, 00000007.00000002.4626479867.0000000001CC7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4626363556.00000000013D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.227.219
Source: file.exe, 00000000.00000002.4626325451.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4626578750.0000000001DF1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4626006520.000000000140A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.227.219P
Source: RageMP131.exe, 0000000A.00000002.4626363556.000000000143D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4626904888.0000000001450000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4626904888.0000000001471000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: file.exe, 00000000.00000002.4626325451.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4626578750.0000000001DF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.4626479867.0000000001D49000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4626006520.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4626904888.0000000001450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: file.exe, 00000000.00000002.4624289407.0000000000451000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624429088.0000000000C91000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4624681535.0000000000C91000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624369639.0000000000481000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4624659866.0000000000481000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000006.00000002.4626578750.0000000001D6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/jX
Source: file.exe, 00000000.00000002.4626325451.00000000015AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4626325451.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4626578750.0000000001DF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4626578750.0000000001DAA000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.4626479867.0000000001D01000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.4626479867.0000000001D49000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4626006520.00000000013AA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4626904888.000000000145A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4626363556.0000000001411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.219
Source: RageMP131.exe, 00000008.00000002.4626006520.00000000013F1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.219F
Source: MPGPH131.exe, 00000007.00000002.4626479867.0000000001D01000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.219u
Source: RageMP131.exe, 0000000A.00000002.4626363556.0000000001411000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.219~r
Source: MPGPH131.exe, 00000006.00000002.4626578750.0000000001DF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.4626479867.0000000001CC7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4626006520.00000000013F1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4626363556.00000000013D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.227.219
Source: file.exe, 00000000.00000002.4626325451.00000000015F0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.227.219_
Source: file.exe, 00000000.00000002.4626325451.000000000156E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4626578750.0000000001D6D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.4626479867.0000000001CC7000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4626006520.000000000136E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4626363556.00000000013D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000006.00000002.4626578750.0000000001D6D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTY
Source: RageMP131.exe, 0000000A.00000002.4626363556.00000000013D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTj
Source: RageMP131.exe, 00000008.00000002.4626006520.000000000136E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTq7
Source: MPGPH131.exe, RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49724

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49719 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49718 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49721 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49722 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49724 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49725 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49726 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49727 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49728 version: TLS 1.2

System Summary

PE file has nameless sections

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048C950	0_2_0048C950
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048A918	0_2_0048A918
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00487190	0_2_00487190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0049DA74	0_2_0049DA74
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00540350	0_2_00540350
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0049035F	0_2_0049035F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A8BA0	0_2_004A8BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0047F570	0_2_0047F570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0053CFC0	0_2_0053CFC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004A47AD	0_2_004A47AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E0A14	0_2_7F6E0A14
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E0000	0_2_7F6E0000
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CC7190	6_2_00CC7190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CCC950	6_2_00CCC950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CCA918	6_2_00CCA918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CDDA74	6_2_00CDDA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CE8BA0	6_2_00CE8BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00D80350	6_2_00D80350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CD035F	6_2_00CD035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CBF570	6_2_00CBF570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00D7CFC0	6_2_00D7CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CE47AD	6_2_00CE47AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_7EE50A14	6_2_7EE50A14
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_7EE50000	6_2_7EE50000
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CC7190	7_2_00CC7190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CCC950	7_2_00CCC950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CCA918	7_2_00CCA918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CDDA74	7_2_00CDDA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CE8BA0	7_2_00CE8BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00D80350	7_2_00D80350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CD035F	7_2_00CD035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CBF570	7_2_00CBF570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00D7CFC0	7_2_00D7CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CE47AD	7_2_00CE47AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_7F890A14	7_2_7F890A14
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_7F890000	7_2_7F890000
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004BC950	8_2_004BC950
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004BA918	8_2_004BA918
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004B7190	8_2_004B7190
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004CDA74	8_2_004CDA74
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00570350	8_2_00570350
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004C035F	8_2_004C035F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004D8BA0	8_2_004D8BA0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004AF570	8_2_004AF570
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_0056CFC0	8_2_0056CFC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004D47AD	8_2_004D47AD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_7F570A14	8_2_7F570A14
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_7F570000	8_2_7F570000

Found potential string decryption / allocating functions

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Code function: String function: 00CC4370 appears 48 times

Sample file is different than original file name gathered from version info

Source: file.exe, 00000000.00000000.1966457296.00000000005F4000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe	Static PE information: Section: ZLIB complexity 0.9997569000426257
Source: file.exe	Static PE information: Section: ZLIB complexity 0.9934290213178295
Source: file.exe	Static PE information: Section: ZLIB complexity 0.9931640625
Source: file.exe	Static PE information: Section: ZLIB complexity 1.0006510416666667
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9997569000426257
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9934290213178295
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9931640625
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0006510416666667
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9997569000426257
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9934290213178295
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9931640625
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 1.0006510416666667

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/5@2/3

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\RageMP131

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3276:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: file.exe, 00000000.00000002.4624289407.0000000000451000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624429088.0000000000C91000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4624681535.0000000000C91000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624369639.0000000000481000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4624659866.0000000000481000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.4624289407.0000000000451000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624429088.0000000000C91000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4624681535.0000000000C91000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624369639.0000000000481000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4624659866.0000000000481000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: file.exe

ReversingLabs: Detection: 44%

Source: file.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Detected unpacking (changes PE section rights)

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: gpapi.dll	Jump to behavior

Source: file.exe

Static file information: File size 3112448 > 1048576

Source: file.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x210e00

Data Obfuscation

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.450000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 6.2.MPGPH131.exe.c90000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 7.2.MPGPH131.exe.c90000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 8.2.RageMP131.exe.480000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 10.2.RageMP131.exe.480000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .data

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00483F49 push ecx; ret	0_2_00483F5C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E0F60 push 7F6E0002h; ret	0_2_7F6E0F6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1B60 push 7F6E0002h; ret	0_2_7F6E1B6F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E2760 push 7F6E0002h; ret	0_2_7F6E276F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E0B70 push 7F6E0002h; ret	0_2_7F6E0B7F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1770 push 7F6E0002h; ret	0_2_7F6E177F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E2370 push 7F6E0002h; ret	0_2_7F6E237F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E0B40 push 7F6E0002h; ret	0_2_7F6E0B4F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1740 push 7F6E0002h; ret	0_2_7F6E174F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E2340 push 7F6E0002h; ret	0_2_7F6E234F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1350 push 7F6E0002h; ret	0_2_7F6E135F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1F50 push 7F6E0002h; ret	0_2_7F6E1F5F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1320 push 7F6E0002h; ret	0_2_7F6E132F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1F20 push 7F6E0002h; ret	0_2_7F6E1F2F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E2B20 push 7F6E0002h; ret	0_2_7F6E2B2F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E0F30 push 7F6E0002h; ret	0_2_7F6E0F3F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1B30 push 7F6E0002h; ret	0_2_7F6E1B3F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E2730 push 7F6E0002h; ret	0_2_7F6E273F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E0F00 push 7F6E0002h; ret	0_2_7F6E0F0F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1B00 push 7F6E0002h; ret	0_2_7F6E1B0F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E2700 push 7F6E0002h; ret	0_2_7F6E270F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1710 push 7F6E0002h; ret	0_2_7F6E171F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E2310 push 7F6E0002h; ret	0_2_7F6E231F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E13E0 push 7F6E0002h; ret	0_2_7F6E13EF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1FE0 push 7F6E0002h; ret	0_2_7F6E1FEF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E0FF0 push 7F6E0002h; ret	0_2_7F6E0FFF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1BF0 push 7F6E0002h; ret	0_2_7F6E1BFF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E27F0 push 7F6E0002h; ret	0_2_7F6E27FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E0FC0 push 7F6E0002h; ret	0_2_7F6E0FCF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E1BC0 push 7F6E0002h; ret	0_2_7F6E1BCF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_7F6E27C0 push 7F6E0002h; ret	0_2_7F6E27CF

Source: file.exe	Static PE information: section name: entropy: 7.999627958847489
Source: file.exe	Static PE information: section name: entropy: 7.990663948848052
Source: file.exe	Static PE information: section name: entropy: 7.821409236457194
Source: file.exe	Static PE information: section name: entropy: 7.9921972703023565
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.999627958847489
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.990663948848052
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.821409236457194
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.9921972703023565
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.999627958847489
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.990663948848052
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.821409236457194
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.9921972703023565

Drops PE files

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file

Drops PE files to the application program directory (C:\ProgramData)

Source: C:\Users\user\Desktop\file.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\file.exe	Stalling execution: Execution stalls by calling Sleep
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Stalling execution: Execution stalls by calling Sleep

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 757	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 8083	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 4407	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 4197	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 354	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 4526	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 4069	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 8805	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 4684	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 4212	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 403	Jump to behavior

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\file.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found evasive API chain (date check)

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\file.exe	Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\file.exe TID: 4372	Thread sleep count: 757 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6380	Thread sleep count: 181 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6380	Thread sleep time: -181000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6976	Thread sleep count: 72 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6976	Thread sleep time: -72000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4372	Thread sleep count: 332 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4372	Thread sleep time: -33532s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6380	Thread sleep count: 8083 > 30	Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6380	Thread sleep time: -8083000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3716	Thread sleep count: 166 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3716	Thread sleep count: 169 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3192	Thread sleep count: 4407 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3192	Thread sleep time: -4407000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3716	Thread sleep count: 63 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3364	Thread sleep count: 4197 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3364	Thread sleep time: -4197000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3716	Thread sleep count: 354 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3716	Thread sleep time: -35754s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4696	Thread sleep count: 165 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4696	Thread sleep count: 146 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3356	Thread sleep count: 4526 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3356	Thread sleep time: -4526000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3808	Thread sleep count: 4069 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3808	Thread sleep time: -4069000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4696	Thread sleep count: 64 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4696	Thread sleep count: 320 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4696	Thread sleep time: -32320s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6692	Thread sleep count: 8805 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6692	Thread sleep time: -8805000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3160	Thread sleep count: 219 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3160	Thread sleep time: -219000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1656	Thread sleep count: 305 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1656	Thread sleep time: -30805s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3116	Thread sleep count: 4684 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3116	Thread sleep time: -4684000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3652	Thread sleep count: 4212 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3652	Thread sleep time: -4212000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2072	Thread sleep count: 403 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2072	Thread sleep time: -40703s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00481F8C FindClose,FindFirstFileExW,GetLastError,	0_2_00481F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_015B4D7B FindFirstFileA,	6_2_015B4D7B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CC1F8C FindClose,FindFirstFileExW,GetLastError,	6_2_00CC1F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_015B4D7B FindFirstFileA,	7_2_015B4D7B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CC1F8C FindClose,FindFirstFileExW,GetLastError,	7_2_00CC1F8C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004B1F8C FindClose,FindFirstFileExW,GetLastError,	8_2_004B1F8C

Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: RageMP131.exe, 00000008.00000002.4626006520.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, 00000007.00000002.4626479867.0000000001D35000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}1U
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: vmware
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: RageMP131.exe, 0000000A.00000003.2255537072.000000000143B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 00000008.00000003.2196026520.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}L
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Hyper-V (guest)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000F67000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000757000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000757000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: ~VirtualMachineTypes
Source: RageMP131.exe, 00000008.00000002.4626006520.00000000013C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000n
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000F67000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000757000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000757000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: ]DLL_Loader_VirtualMachine
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.4624855267.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000F67000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000F67000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000757000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000757000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: RageMP131.exe, 00000008.00000002.4626006520.000000000136E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000P
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, 00000007.00000002.4626479867.0000000001D1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.4626325451.00000000015F0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4626578750.0000000001DF1000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4626578750.0000000001DCB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.4626479867.0000000001D53000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4626006520.000000000140A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4626904888.0000000001471000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 0000000A.00000003.2255537072.0000000001443000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: RageMP131.exe, 00000008.00000003.2196026520.00000000013DD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}j
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, 00000007.00000003.2057416388.0000000001D35000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}A#T
Source: RageMP131.exe, 00000008.00000002.4626006520.00000000013D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}M
Source: file.exe, 00000000.00000003.2002858332.00000000015DF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}N
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: xVBoxService.exe
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: VBoxService.exe
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: MPGPH131.exe, 00000007.00000002.4626479867.0000000001D1F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.4626325451.00000000015C8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(l`
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: RageMP131.exe, 0000000A.00000002.4626363556.0000000001431000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWX)G
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: VMWare
Source: MPGPH131.exe, 00000006.00000002.4626578750.0000000001D6D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000\|&z
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: MPGPH131.exe, 00000006.00000002.4626578750.0000000001DF1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWK
Source: RageMP131.exe, 00000008.00000002.4626006520.000000000140A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: RageMP131.exe, 0000000A.00000002.4626363556.00000000013D7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: file.exe, 00000000.00000002.4624855267.00000000005F7000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4624931837.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.4625130584.0000000000E37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.4624657860.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000001.2149326054.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.4625070928.0000000000627000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000001.2239935543.0000000000627000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: #Windows 11 Microsoft Hyper-V Server

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00488A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00488A54

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\file.exe

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00488A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00488A54
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0048450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0048450D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CC8A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	6_2_00CC8A54
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00CC450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00CC450D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CC8A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_00CC8A54
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00CC450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00CC450D
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004B8A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	8_2_004B8A54
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004B450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_004B450D

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0051C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	0_2_0051C630
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00D5C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	6_2_00D5C630
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00D5C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	7_2_00D5C630
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_0054C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,	8_2_0054C630

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_0049B1A3
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004A31B8
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_004A32E1
Source: C:\Users\user\Desktop\file.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_004A2B48
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004A33E7
Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_004A34BD
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_004A2D4D
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004A2DF4
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004A2E3F
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,	0_2_004A2EDA
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_004A2F65
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0049B726
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	6_2_00CDB1A3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	6_2_00CE31B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	6_2_00CE32E1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	6_2_00CE33E7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	6_2_00CE2B48
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoA,	6_2_015B4D69
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	6_2_00CE34BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	6_2_00CE2DF4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	6_2_00CE2D4D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	6_2_00CE2EDA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	6_2_00CE2E3F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	6_2_00CE2F65
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	6_2_00CDB726
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	7_2_00CDB1A3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	7_2_00CE31B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	7_2_00CE32E1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	7_2_00CE33E7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	7_2_00CE2B48
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoA,	7_2_015B4D69
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	7_2_00CE34BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	7_2_00CE2DF4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	7_2_00CE2D4D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	7_2_00CE2EDA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: EnumSystemLocalesW,	7_2_00CE2E3F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	7_2_00CE2F65
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetLocaleInfoW,	7_2_00CDB726
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: EnumSystemLocalesW,	8_2_004CB1A3
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetLocaleInfoW,	8_2_004D31B8
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	8_2_004D32E1
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	8_2_004D2B48
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetLocaleInfoW,	8_2_004D33E7
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	8_2_004D34BD
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetLocaleInfoW,	8_2_004D2D4D
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: EnumSystemLocalesW,	8_2_004D2DF4
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: EnumSystemLocalesW,	8_2_004D2E3F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: EnumSystemLocalesW,	8_2_004D2EDA
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	8_2_004D2F65
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetLocaleInfoW,	8_2_004CB726

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0048360D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_0048360D

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_7F6E1D70 GetUserNameA,

0_2_7F6E1D70

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Stealing of Sensitive Information

Source: Yara match	File source: Process Memory Space: file.exe PID: 3536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 4712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 2568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 5060, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 2320, type: MEMORYSTR

Remote Access Functionality