Windows Analysis Report
SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe

Overview

General Information

Sample name: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe
Analysis ID: 1435791
MD5: 8d6e0fa54df379d380222a4051ab848c
SHA1: aaf9a4b13c41beb62d8b40440a37e999c512a33a
SHA256: bc85f6c9d136388898852a62309eef10a34b3118fd024281e14e468594c2ff9f
Tags: exeRiseProStealer
Infos:

Detection

RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected RisePro Stealer
Connects to many ports of the same IP (likely port scanning)
Contains functionality to inject threads in other processes
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
PE file has nameless sections
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evaded block containing many API calls
Found evasive API chain (date check)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Avira: detected
Antivirus detection for URL or domain
Source: http://147.45.47.102:57893/hera/amadka.exe Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Avira: detection malicious, Label: HEUR/AGEN.1306558
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Avira: detection malicious, Label: HEUR/AGEN.1306558
Multi AV Scanner detection for domain / URL
Source: http://147.45.47.102:57893/hera/amadka.exeot Virustotal: Detection: 15% Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exe68.0 Virustotal: Detection: 15% Perma Link
Source: http://193.233.132.56/cost/go.exe Virustotal: Detection: 25% Perma Link
Source: http://147.45.47.102:57893/hera/amadka.exe Virustotal: Detection: 18% Perma Link
Source: http://193.233.132.56/cost/lenin.exe Virustotal: Detection: 26% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MPGPH131\MPGPH131.exe ReversingLabs: Detection: 50%
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Virustotal: Detection: 58% Perma Link
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe ReversingLabs: Detection: 50%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Virustotal: Detection: 58% Perma Link
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe ReversingLabs: Detection: 50%
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Virustotal: Detection: 58% Perma Link
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_00643EB0 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree, 0_2_00643EB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00823EB0 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree, 7_2_00823EB0
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.24.82:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.24.82:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_0065D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0065D2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_006433B0 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_006433B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_00611A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA, 0_2_00611A60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_00663B20 CreateDirectoryA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_00663B20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_005B1F8C FindClose,FindFirstFileExW,GetLastError, 0_2_005B1F8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_005B2012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 0_2_005B2012
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_006113F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_006113F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0083D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 7_2_0083D2B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_008233B0 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose, 7_2_008233B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007F1A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree, 7_2_007F1A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00843B20 CreateDirectoryA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 7_2_00843B20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00791F8C FindClose,FindFirstFileExW,GetLastError, 7_2_00791F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00792012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 7_2_00792012
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007F13F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 7_2_007F13F0
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_703cab63ddfc30e52e5285a77dd3d65328718bd_cadc5c4f_ca1ea967-fef8-45d7-a94d-43811e9047c7\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_f7fc5d77e4181bfc8c190387d813954cf99dd80_2d68038f_ba0e7d69-f458-483a-978e-dbc15423d24c\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49730 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49730 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49730
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49744
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49745
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49744
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49745
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49745 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49744 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49760
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49760
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 147.45.47.93:58709 -> 192.168.2.4:49763
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49760 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49763 -> 147.45.47.93:58709
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 147.45.47.93:58709 -> 192.168.2.4:49763
Connects to many ports of the same IP (likely port scanning)
Source: global traffic TCP traffic: 147.45.47.93 ports 0,5,7,8,58709,9
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49730 -> 147.45.47.93:58709
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 104.26.5.15 104.26.5.15
Source: Joe Sandbox View IP Address: 239.255.255.250 239.255.255.250
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: unknown TCP traffic detected without corresponding DNS query: 104.46.162.224
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 147.45.47.93
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 52.165.165.26
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: unknown TCP traffic detected without corresponding DNS query: 23.51.58.94
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_006452A0 recv,GetCurrentProcess, 0_2_006452A0
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YOPbGLbp0bEGIjA9RjS4dnTf9TMc_WNOZoEqYCGZPMusvyHbkcGkBp0b60YgEyf8aWQGPDnoAkT6yZQyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiWocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-03-05; NID=513=APNOzOblleRB1aJFPx8Z_gRLPnRmzF3um8G7RczJpJHmMs2PjggLJuQJDSfSkkQEQw4W68eqU9PX_RTcXywZXXUq_AQqC0hF8Ap_QEpQOLc-nzbFkFzjdPZ3R_RYwXhxUJye9FK_ULZoYVxD6FGWtw5mxdI8GicRmXl8qJSIPUA
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/newtab_promos&q=EgS_YOPbGLfp0bEGIjBOCVhRAJULzteCOxPiY_X6uQIji4BS0T9mLaHtP_Am7ecKTeSvtZKtamBURy9fib0yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-03-05; NID=513=cj89ODLx9-NktihWgR6pcEkVLJtmzBmUJFxO5DHSM_Ex4E-3z8ovz6JNixtHvLzVH43EiHaIwe1tovaDxh4FgY0d0QihWT12B-WBStzI-FDmf6tkDRL3VTxmW2AgAZsr1Tppx2YUWmkCPuT4nscUI9perMpwKY6l9iEl-alk_30
Source: global traffic HTTP traffic detected: GET /sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YOPbGLbp0bEGIjDNZc3MZHlf1E0orMqnosUmz6W763DCXYHXDGytrbaZJcGJLjun_vRC8GiTovYLXb8yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Cookie: 1P_JAR=2024-05-03-05; NID=513=EQD99ALJd6fOZu26GG9BtUjXBRf2gGBsuk5QaS83mUVQaqMpvZ4LNdhssAidlPr7GtfSBFeiMvNnnYNjxcnDCKLiRS44NSdXzIk9nQXC3r6txe-PaW2vKLuatBzEjiBpwv1s228V4FQEbPNYX_vzR8IICWLCpTWJe0qikJMZQ84
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /fs/windows/config.json HTTP/1.1Connection: Keep-AliveAccept: */*Accept-Encoding: identityIf-Unmodified-Since: Tue, 16 May 2017 22:58:00 GMTRange: bytes=0-2147483646User-Agent: Microsoft BITS/7.8Host: fs.microsoft.com
Source: global traffic HTTP traffic detected: GET /SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=obBedr2UOoU2yNe&MD=DdSnfapD HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/191.96.227.219 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=191.96.227.219 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.2006/0?CH=700&L=en-GB&P=&PT=0x30&WUA=10.0.19041.1949&MK=obBedr2UOoU2yNe&MD=DdSnfapD HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Windows-Update-Agent/10.0.10011.16384 Client-Protocol/2.33Host: slscr.update.microsoft.com
Source: global traffic DNS traffic detected: DNS query: google.com
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: db-ip.com
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: unknown HTTP traffic detected: POST /RST2.srf HTTP/1.0Connection: Keep-AliveContent-Type: application/soap+xmlAccept: */*User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 10.0; Win64; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729; IDCRL 24.10.0.19045.0.0; IDCRL-cfg 16.000.29743.00; App svchost.exe, 10.0.19041.1806, {DF60E2DF-88AD-4526-AE21-83D130EF0F68})Content-Length: 3592Host: login.live.com
Source: MPGPH131.exe, 00000007.00000002.2104214514.00000000017CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2092162134.0000000001AB1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe
Source: MPGPH131.exe, 00000007.00000002.2104214514.00000000017CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe68.0
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exe68.0x
Source: RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exejaxxwa
Source: RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exeot
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://147.45.47.102:57893/hera/amadka.exetspX(
Source: MPGPH131.exe, 00000008.00000002.2092162134.0000000001AB1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exe
Source: RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.execeIdser
Source: MPGPH131.exe, 00000007.00000002.2104214514.00000000017CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/go.exeisepro_bot
Source: MPGPH131.exe, 00000008.00000002.2092162134.0000000001AB1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exe
Source: MPGPH131.exe, 00000007.00000002.2104214514.0000000001730000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exeUs
Source: RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exeXb5?7
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exeka.ex;
Source: MPGPH131.exe, 00000008.00000002.2092162134.0000000001AB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exeka.exbota
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.56/cost/lenin.exer
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr String found in binary or memory: http://pki-crl.symauth.com/ca_732b6ec148d290c0a071efd1dac8e288/LatestCRL.crl07
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, RageMP131.exe.0.dr, MPGPH131.exe.0.dr String found in binary or memory: http://pki-ocsp.symauth.com0
Source: Amcache.hve.20.dr String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085670647.0000000000581000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2102864029.0000000000761000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2090843133.0000000000761000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098106504.0000000000721000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2192978530.0000000000721000.00000040.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1859408154.00000000072E8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1864427567.00000000072EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1855947799.00000000019AB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1961346965.000000000766A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1944872868.0000000001897000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1953713835.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1959185609.0000000007728000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1955343277.0000000001B8C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1951162142.0000000001B7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1961588677.00000000074BF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1957623496.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, 0K7_4ZPCGxHpWeb Data.0.dr, v2cU2ORgmdjCWeb Data.13.dr, fPrkUqiJIt7RWeb Data.7.dr, jdYGzsyj2RgAWeb Data.0.dr, 7infWL2dpE0JWeb Data.13.dr, 00Qerm5hMGZOWeb Data.8.dr, 2a4LP_xtRLdaWeb Data.13.dr, zbISjRzl0odeWeb Data.7.dr, UI_98ko8uFErWeb Data.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1859408154.00000000072E8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1864427567.00000000072EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1855947799.00000000019AB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1961346965.000000000766A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1944872868.0000000001897000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1953713835.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1959185609.0000000007728000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1955343277.0000000001B8C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1951162142.0000000001B7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1961588677.00000000074BF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1957623496.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, 0K7_4ZPCGxHpWeb Data.0.dr, v2cU2ORgmdjCWeb Data.13.dr, fPrkUqiJIt7RWeb Data.7.dr, jdYGzsyj2RgAWeb Data.0.dr, 7infWL2dpE0JWeb Data.13.dr, 00Qerm5hMGZOWeb Data.8.dr, 2a4LP_xtRLdaWeb Data.13.dr, zbISjRzl0odeWeb Data.7.dr, UI_98ko8uFErWeb Data.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1859408154.00000000072E8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1864427567.00000000072EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1855947799.00000000019AB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1961346965.000000000766A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1944872868.0000000001897000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1953713835.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1959185609.0000000007728000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1955343277.0000000001B8C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1951162142.0000000001B7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1961588677.00000000074BF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1957623496.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, 0K7_4ZPCGxHpWeb Data.0.dr, v2cU2ORgmdjCWeb Data.13.dr, fPrkUqiJIt7RWeb Data.7.dr, jdYGzsyj2RgAWeb Data.0.dr, 7infWL2dpE0JWeb Data.13.dr, 00Qerm5hMGZOWeb Data.8.dr, 2a4LP_xtRLdaWeb Data.13.dr, zbISjRzl0odeWeb Data.7.dr, UI_98ko8uFErWeb Data.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1859408154.00000000072E8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1864427567.00000000072EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1855947799.00000000019AB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1961346965.000000000766A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1944872868.0000000001897000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1953713835.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1959185609.0000000007728000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1955343277.0000000001B8C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1951162142.0000000001B7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1961588677.00000000074BF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1957623496.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, 0K7_4ZPCGxHpWeb Data.0.dr, v2cU2ORgmdjCWeb Data.13.dr, fPrkUqiJIt7RWeb Data.7.dr, jdYGzsyj2RgAWeb Data.0.dr, 7infWL2dpE0JWeb Data.13.dr, 00Qerm5hMGZOWeb Data.8.dr, 2a4LP_xtRLdaWeb Data.13.dr, zbISjRzl0odeWeb Data.7.dr, UI_98ko8uFErWeb Data.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2092162134.0000000001AB1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2194242592.0000000001594000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: MPGPH131.exe, 00000007.00000002.2104214514.00000000017CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/A
Source: RageMP131.exe, 0000000F.00000002.2194242592.0000000001594000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/c
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2104214514.00000000017CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2092162134.0000000001AB1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2194242592.0000000001594000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2194242592.000000000156A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2194242592.0000000001578000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219
Source: MPGPH131.exe, 00000007.00000002.2104214514.00000000017CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219.outloo
Source: MPGPH131.exe, 00000007.00000002.2104214514.00000000017CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.2191s
Source: RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219D
Source: MPGPH131.exe, 00000008.00000002.2092162134.0000000001AB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219IuG
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219QW
Source: RageMP131.exe, 0000000F.00000002.2194242592.0000000001594000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219n?x
Source: RageMP131.exe, 0000000F.00000002.2194242592.000000000156A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219ot
Source: MPGPH131.exe, 00000008.00000002.2092162134.0000000001AB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=191.96.227.219yUk
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.227.219
Source: MPGPH131.exe, 00000008.00000002.2092162134.0000000001AB1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.227.219P
Source: MPGPH131.exe, 00000007.00000002.2104214514.00000000017CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.227.219lu
Source: RageMP131.exe, 0000000F.00000002.2194242592.00000000014F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=191.96.227.219r)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1859408154.00000000072E8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1864427567.00000000072EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1855947799.00000000019AB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1961346965.000000000766A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1944872868.0000000001897000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1953713835.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1959185609.0000000007728000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1955343277.0000000001B8C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1951162142.0000000001B7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1961588677.00000000074BF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1957623496.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, 0K7_4ZPCGxHpWeb Data.0.dr, v2cU2ORgmdjCWeb Data.13.dr, fPrkUqiJIt7RWeb Data.7.dr, jdYGzsyj2RgAWeb Data.0.dr, 7infWL2dpE0JWeb Data.13.dr, 00Qerm5hMGZOWeb Data.8.dr, 2a4LP_xtRLdaWeb Data.13.dr, zbISjRzl0odeWeb Data.7.dr, UI_98ko8uFErWeb Data.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1859408154.00000000072E8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1864427567.00000000072EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1855947799.00000000019AB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1961346965.000000000766A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1944872868.0000000001897000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1953713835.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1959185609.0000000007728000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1955343277.0000000001B8C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1951162142.0000000001B7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1961588677.00000000074BF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1957623496.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, 0K7_4ZPCGxHpWeb Data.0.dr, v2cU2ORgmdjCWeb Data.13.dr, fPrkUqiJIt7RWeb Data.7.dr, jdYGzsyj2RgAWeb Data.0.dr, 7infWL2dpE0JWeb Data.13.dr, 00Qerm5hMGZOWeb Data.8.dr, 2a4LP_xtRLdaWeb Data.13.dr, zbISjRzl0odeWeb Data.7.dr, UI_98ko8uFErWeb Data.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1859408154.00000000072E8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1864427567.00000000072EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1855947799.00000000019AB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1961346965.000000000766A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1944872868.0000000001897000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1953713835.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1959185609.0000000007728000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1955343277.0000000001B8C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1951162142.0000000001B7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1961588677.00000000074BF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1957623496.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, 0K7_4ZPCGxHpWeb Data.0.dr, v2cU2ORgmdjCWeb Data.13.dr, fPrkUqiJIt7RWeb Data.7.dr, jdYGzsyj2RgAWeb Data.0.dr, 7infWL2dpE0JWeb Data.13.dr, 00Qerm5hMGZOWeb Data.8.dr, 2a4LP_xtRLdaWeb Data.13.dr, zbISjRzl0odeWeb Data.7.dr, UI_98ko8uFErWeb Data.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RageMP131.exe, 0000000F.00000002.2194242592.000000000155F000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2194242592.0000000001594000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2194242592.0000000001578000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: RageMP131.exe, 0000000F.00000002.2194242592.00000000014F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/#:
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018C3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2104214514.00000000017C0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2092162134.0000000001AA6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2194242592.0000000001578000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085670647.0000000000581000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2102864029.0000000000761000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2090843133.0000000000761000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098106504.0000000000721000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2192978530.0000000000721000.00000040.00000001.01000000.00000008.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.0000000001878000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2104214514.0000000001779000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2104214514.00000000017C0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2092162134.0000000001AA6000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2092162134.0000000001A60000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2099657926.0000000001A69000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2194242592.0000000001532000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2194242592.0000000001578000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.219
Source: MPGPH131.exe, 00000008.00000002.2092162134.0000000001A60000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.2190
Source: MPGPH131.exe, 00000007.00000002.2104214514.0000000001779000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.219E
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018C3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.219S2
Source: RageMP131.exe, 0000000D.00000002.2099657926.0000000001A69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/191.96.227.219hE
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018C3000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2104214514.00000000017C0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2092162134.0000000001AA6000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2194242592.00000000014F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/191.96.227.219
Source: D87fZN3R3jFeplaces.sqlite.13.dr String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.13.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.13.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1863787047.00000000072D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1857497356.00000000019AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1960562962.0000000001896000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1954095590.0000000001B7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1955332457.0000000001B86000.00000004.00000020.00020000.00000000.sdmp, ofPO1RwvHkuAHistory.0.dr, FAL14YoTdbqiHistory.13.dr, zJuLTaGAiOucHistory.13.dr, i1yIsS8bZnbMHistory.8.dr, 9cOnGTGkShnWHistory.0.dr, 2HnRxWloJpRxHistory.7.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: ofPO1RwvHkuAHistory.0.dr, FAL14YoTdbqiHistory.13.dr, zJuLTaGAiOucHistory.13.dr, i1yIsS8bZnbMHistory.8.dr, 9cOnGTGkShnWHistory.0.dr, 2HnRxWloJpRxHistory.7.dr String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1863787047.00000000072D6000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1857497356.00000000019AD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1960562962.0000000001896000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1954095590.0000000001B7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1955332457.0000000001B86000.00000004.00000020.00020000.00000000.sdmp, ofPO1RwvHkuAHistory.0.dr, FAL14YoTdbqiHistory.13.dr, zJuLTaGAiOucHistory.13.dr, i1yIsS8bZnbMHistory.8.dr, 9cOnGTGkShnWHistory.0.dr, 2HnRxWloJpRxHistory.7.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: ofPO1RwvHkuAHistory.0.dr, FAL14YoTdbqiHistory.13.dr, zJuLTaGAiOucHistory.13.dr, i1yIsS8bZnbMHistory.8.dr, 9cOnGTGkShnWHistory.0.dr, 2HnRxWloJpRxHistory.7.dr String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: RageMP131.exe, 0000000D.00000002.2099657926.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2194242592.00000000014F7000.00000004.00000020.00020000.00000000.sdmp, _GC5VU0C8TlDHIYOayOodaC.zip.8.dr, 6vITM1PSugWZudEYSR57YQU.zip.13.dr, gWpl3DKIKrL9jhWS6lgcZ2J.zip.0.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000008.00000002.2092743314.0000000001B18000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.2025987376.0000000001B16000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT4
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1901198665.0000000001994000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1901048371.0000000001993000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT=
Source: MPGPH131.exe, 00000007.00000002.2104666258.000000000186E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTV
Source: RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTh
Source: RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORTl
Source: RageMP131.exe, 0000000F.00000002.2194242592.0000000001594000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro
Source: RageMP131.exe, 0000000F.00000002.2194242592.0000000001594000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.8.dr, passwords.txt.0.dr, passwords.txt.13.dr String found in binary or memory: https://t.me/risepro_bot
Source: MPGPH131.exe, 00000008.00000002.2092162134.0000000001AB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot)
Source: MPGPH131.exe, 00000008.00000002.2092162134.0000000001AB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot7.219
Source: RageMP131.exe, 0000000F.00000002.2194242592.0000000001594000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot7.219H
Source: RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botAb
Source: MPGPH131.exe, 00000007.00000002.2104214514.00000000017CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botL#2
Source: MPGPH131.exe, 00000007.00000002.2104214514.00000000017CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botb#D
Source: RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_boteb
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1859408154.00000000072E8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1864427567.00000000072EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1855947799.00000000019AB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1961346965.000000000766A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1944872868.0000000001897000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1953713835.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1959185609.0000000007728000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1955343277.0000000001B8C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1951162142.0000000001B7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1961588677.00000000074BF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1957623496.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, 0K7_4ZPCGxHpWeb Data.0.dr, v2cU2ORgmdjCWeb Data.13.dr, fPrkUqiJIt7RWeb Data.7.dr, jdYGzsyj2RgAWeb Data.0.dr, 7infWL2dpE0JWeb Data.13.dr, 00Qerm5hMGZOWeb Data.8.dr, 2a4LP_xtRLdaWeb Data.13.dr, zbISjRzl0odeWeb Data.7.dr, UI_98ko8uFErWeb Data.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1859408154.00000000072E8000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1864427567.00000000072EC000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1855947799.00000000019AB000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1961346965.000000000766A000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1944872868.0000000001897000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1953713835.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1959185609.0000000007728000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1955343277.0000000001B8C000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1951162142.0000000001B7A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1961588677.00000000074BF000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1957623496.0000000001B97000.00000004.00000020.00020000.00000000.sdmp, 0K7_4ZPCGxHpWeb Data.0.dr, v2cU2ORgmdjCWeb Data.13.dr, fPrkUqiJIt7RWeb Data.7.dr, jdYGzsyj2RgAWeb Data.0.dr, 7infWL2dpE0JWeb Data.13.dr, 00Qerm5hMGZOWeb Data.8.dr, 2a4LP_xtRLdaWeb Data.13.dr, zbISjRzl0odeWeb Data.7.dr, UI_98ko8uFErWeb Data.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: D87fZN3R3jFeplaces.sqlite.13.dr String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.13.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: D87fZN3R3jFeplaces.sqlite.13.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/;b
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1901048371.0000000001983000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1860303528.0000000001983000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1857711497.0000000001983000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1859526244.0000000001983000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1859773130.0000000001983000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1856547579.0000000001983000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1955347396.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1957436453.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1941467920.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1958813737.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1976563824.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1992001998.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1960474585.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1962204832.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1961923009.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1989731832.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1954133777.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1950407144.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2104666258.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1961204708.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1947493623.000000000186E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: MPGPH131.exe, 00000007.00000002.2104214514.00000000017CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/k#O
Source: D87fZN3R3jFeplaces.sqlite.13.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/eata
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1901048371.0000000001983000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1860303528.0000000001983000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1857711497.0000000001983000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1859526244.0000000001983000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1859773130.0000000001983000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1856547579.0000000001983000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1955347396.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1957436453.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1941467920.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1958813737.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1976563824.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1992001998.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1960474585.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1962204832.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1961923009.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1989731832.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1954133777.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1950407144.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2104666258.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1961204708.000000000186E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000003.1947493623.000000000186E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: MPGPH131.exe, 00000007.00000002.2104214514.0000000001730000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2092162134.0000000001AB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/r
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2104214514.00000000017CD000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/refox
Source: MPGPH131.exe, 00000008.00000002.2092162134.0000000001AB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/refoxt
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 49779 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49783
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 49766 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49769 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49738
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 49753 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49779
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49770
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49767 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49749 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49752 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49769
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49768
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49767
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49766
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49765
Source: unknown Network traffic detected: HTTP traffic on port 49783 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49770 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49738 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49754
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49753
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49752
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49765 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49768 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49749
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 49754 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49737 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49748 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49749 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49750 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49752 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49753 version: TLS 1.2
Source: unknown HTTPS traffic detected: 52.165.165.26:443 -> 192.168.2.4:49751 version: TLS 1.2
Source: unknown HTTPS traffic detected: 23.51.58.94:443 -> 192.168.2.4:49754 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49761 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49762 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.24.82:443 -> 192.168.2.4:49764 version: TLS 1.2
Source: unknown HTTPS traffic detected: 40.126.24.82:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49779 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.4:49780 version: TLS 1.2
Source: unknown HTTPS traffic detected: 20.12.23.50:443 -> 192.168.2.4:49781 version: TLS 1.2

System Summary
barindex
PE file has nameless sections
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_005C001D 0_2_005C001D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_00678080 0_2_00678080
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_006161D0 0_2_006161D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_0065D2B0 0_2_0065D2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_0065C3E0 0_2_0065C3E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_005FF730 0_2_005FF730
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_0065B7E0 0_2_0065B7E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_0058B8E0 0_2_0058B8E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_006BC8D0 0_2_006BC8D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_006549B0 0_2_006549B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_00611A60 0_2_00611A60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_00618A80 0_2_00618A80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_0061CBF0 0_2_0061CBF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_00627D20 0_2_00627D20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_0061AEC0 0_2_0061AEC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_00613ED0 0_2_00613ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_0060DF60 0_2_0060DF60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_006B20C0 0_2_006B20C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_006C40A0 0_2_006C40A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_006C3160 0_2_006C3160
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_00621130 0_2_00621130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_00602100 0_2_00602100
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_005B7190 0_2_005B7190
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_005C035F 0_2_005C035F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_00670350 0_2_00670350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_005AF570 0_2_005AF570
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_005D47AD 0_2_005D47AD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_005BC950 0_2_005BC950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_005BA918 0_2_005BA918
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_005CDA74 0_2_005CDA74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_006C4AE0 0_2_006C4AE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_00610BA0 0_2_00610BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_00664B90 0_2_00664B90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_005D8BA0 0_2_005D8BA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_00621E40 0_2_00621E40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_005D8E20 0_2_005D8E20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_0066BFC0 0_2_0066BFC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_0066CFC0 0_2_0066CFC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA70000 0_2_7FA70000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA70819 0_2_7FA70819
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00858080 7_2_00858080
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007A001D 7_2_007A001D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007F61D0 7_2_007F61D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_008A3160 7_2_008A3160
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0083D2B0 7_2_0083D2B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0083C3E0 7_2_0083C3E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007DF730 7_2_007DF730
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0083B7E0 7_2_0083B7E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0089C8D0 7_2_0089C8D0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0076B8E0 7_2_0076B8E0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_008349B0 7_2_008349B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007F1A60 7_2_007F1A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007F8A80 7_2_007F8A80
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007FCBF0 7_2_007FCBF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00807D20 7_2_00807D20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007B8E20 7_2_007B8E20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007F3ED0 7_2_007F3ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007FAEC0 7_2_007FAEC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007EDF60 7_2_007EDF60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_008A40A0 7_2_008A40A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_008920C0 7_2_008920C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007E2100 7_2_007E2100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00801130 7_2_00801130
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00797190 7_2_00797190
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007A035F 7_2_007A035F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00850350 7_2_00850350
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0078F570 7_2_0078F570
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007B47AD 7_2_007B47AD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0079C950 7_2_0079C950
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0079A918 7_2_0079A918
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007ADA74 7_2_007ADA74
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_008A4AE0 7_2_008A4AE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00844B90 7_2_00844B90
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007B8BA0 7_2_007B8BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007F0BA0 7_2_007F0BA0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00801E40 7_2_00801E40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0084BFC0 7_2_0084BFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0084CFC0 7_2_0084CFC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_7F6F0000 7_2_7F6F0000
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_7F6F0819 7_2_7F6F0819
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: String function: 0059ACE0 appears 86 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: String function: 0077ACE0 appears 86 times
One or more processes crash
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1980
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000000.1628134455.0000000000724000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Binary or memory string: OriginalFilenameCrossDeviceSettingsHost.exeX vs SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe
Uses 32bit PE files
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: Section: ZLIB complexity 0.9997618952472294
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: Section: ZLIB complexity 0.9934290213178295
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: Section: ZLIB complexity 0.99462890625
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: Section: ZLIB complexity 1.0006510416666667
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9997618952472294
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9934290213178295
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 0.99462890625
Source: RageMP131.exe.0.dr Static PE information: Section: ZLIB complexity 1.0006510416666667
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9997618952472294
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.9934290213178295
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 0.99462890625
Source: MPGPH131.exe.0.dr Static PE information: Section: ZLIB complexity 1.0006510416666667
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@44/85@9/7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_0065D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0065D2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe File created: C:\Users\user\AppData\Local\RageMP131 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7212
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6668:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess796
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8700
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6788:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6788
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085670647.0000000000581000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2102864029.0000000000761000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2090843133.0000000000761000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098106504.0000000000721000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2192978530.0000000000721000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085670647.0000000000581000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2102864029.0000000000761000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2090843133.0000000000761000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098106504.0000000000721000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2192978530.0000000000721000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1856547579.0000000001945000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1953686131.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1951033571.0000000001B62000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1954095590.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1951162142.0000000001B96000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000003.1949927709.0000000001B62000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1955332457.0000000001BA2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1953855338.0000000001B6E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000003.1954990178.0000000001B6E000.00000004.00000020.00020000.00000000.sdmp, TgQ4S6c4BAPSLogin Data.7.dr, FbUnNuCw4_bKLogin Data.13.dr, KschALC58KiLLogin Data For Account.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe ReversingLabs: Detection: 50%
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Virustotal: Detection: 58%
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe File read: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http:///
Source: unknown Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://%3cfnc1%3e(79)/
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=2032,i,13373424599956482758,2622410995844212760,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=1904,i,4433995280801359943,15790253874222841577,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 --field-trial-handle=2032,i,13373424599956482758,2622410995844212760,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: unknown Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 796 -s 1980
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8700 -s 2004
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7212 -s 1260
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6788 -s 1896
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 --field-trial-handle=2032,i,13373424599956482758,2622410995844212760,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 --field-trial-handle=2032,i,13373424599956482758,2622410995844212760,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2000 --field-trial-handle=1904,i,4433995280801359943,15790253874222841577,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: version.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rstrtmgr.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncrypt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: shfolder.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: uxtheme.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: windows.storage.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wldp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: profapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: sspicli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d11.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxgi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: resourcepolicyclient.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: kernel.appcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: d3d10warp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dxcore.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winhttp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wininet.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mswsock.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: devobj.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: webio.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: iphlpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: winnsi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dnsapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rasadhlp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: fwpuclnt.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: schannel.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: mskeyprotect.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ncryptsslp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: msasn1.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptsp.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: rsaenh.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: cryptbase.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: gpapi.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: vaultcli.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: wintypes.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: ntmarta.dll
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: vaultcli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d11.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxgi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: resourcepolicyclient.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: d3d10warp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dxcore.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: devobj.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Section loaded: gpapi.dll
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static file information: File size 3197440 > 1048576
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: Raw size of .data is bigger than: 0x100000 < 0x225a00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Unpacked PE file: 0.2.SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe.580000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 7.2.MPGPH131.exe.760000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Unpacked PE file: 8.2.MPGPH131.exe.760000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 13.2.RageMP131.exe.720000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Unpacked PE file: 15.2.RageMP131.exe.720000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.rsrc:R;Unknown_Section6:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:R;.rsrc:R;Unknown_Section6:EW;.data:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_0064C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_0064C630
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .data
PE file contains sections with non-standard names
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: section name:
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: RageMP131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Source: MPGPH131.exe.0.dr Static PE information: section name:
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_005B3F49 push ecx; ret 0_2_005B3F5C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA717A0 push 7FA70002h; ret 0_2_7FA717AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA71FB0 push 7FA70002h; ret 0_2_7FA71FBF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA71F80 push 7FA70002h; ret 0_2_7FA71F8F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA70F90 push 7FA70002h; ret 0_2_7FA70F9F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA72790 push 7FA70002h; ret 0_2_7FA7279F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA71FE0 push 7FA70002h; ret 0_2_7FA71FEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA70FF0 push 7FA70002h; ret 0_2_7FA70FFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA727F0 push 7FA70002h; ret 0_2_7FA727FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA70FC0 push 7FA70002h; ret 0_2_7FA70FCF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA727C0 push 7FA70002h; ret 0_2_7FA727CF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA717D0 push 7FA70002h; ret 0_2_7FA717DF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA71F20 push 7FA70002h; ret 0_2_7FA71F2F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA70F30 push 7FA70002h; ret 0_2_7FA70F3F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA72730 push 7FA70002h; ret 0_2_7FA7273F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA70F00 push 7FA70002h; ret 0_2_7FA70F0F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA72700 push 7FA70002h; ret 0_2_7FA7270F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA71710 push 7FA70002h; ret 0_2_7FA7171F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA70F60 push 7FA70002h; ret 0_2_7FA70F6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA72760 push 7FA70002h; ret 0_2_7FA7276F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA71770 push 7FA70002h; ret 0_2_7FA7177F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA71740 push 7FA70002h; ret 0_2_7FA7174F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA71F50 push 7FA70002h; ret 0_2_7FA71F5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA70EA0 push 7FA70002h; ret 0_2_7FA70EAF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA726A0 push 7FA70002h; ret 0_2_7FA726AF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA716B0 push 7FA70002h; ret 0_2_7FA716BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA71680 push 7FA70002h; ret 0_2_7FA7168F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA71E90 push 7FA70002h; ret 0_2_7FA71E9F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA716E0 push 7FA70002h; ret 0_2_7FA716EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA71EF0 push 7FA70002h; ret 0_2_7FA71EFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_7FA71EC0 push 7FA70002h; ret 0_2_7FA71ECF
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: section name: entropy: 7.999628050473961
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: section name: entropy: 7.991031678374504
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: section name: entropy: 7.818155657101209
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Static PE information: section name: entropy: 7.990686327893471
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.999628050473961
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.991031678374504
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.818155657101209
Source: RageMP131.exe.0.dr Static PE information: section name: entropy: 7.990686327893471
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.999628050473961
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.991031678374504
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.818155657101209
Source: MPGPH131.exe.0.dr Static PE information: section name: entropy: 7.990686327893471
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe File created: C:\ProgramData\MPGPH131\MPGPH131.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131 Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Stalling execution: Execution stalls by calling Sleep
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Window / User API: threadDelayed 634 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evaded block containing many API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Evaded block: after key decision
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evaded block: after key decision
Found evasive API chain (date check)
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe TID: 5968 Thread sleep count: 634 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6860 Thread sleep count: 128 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6860 Thread sleep count: 48 > 30 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7216 Thread sleep count: 86 > 30
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7216 Thread sleep count: 42 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8704 Thread sleep count: 174 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8704 Thread sleep count: 102 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9084 Thread sleep count: 33 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 9084 Thread sleep count: 114 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_0065D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0065D2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_006433B0 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_006433B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_00611A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA, 0_2_00611A60
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_00663B20 CreateDirectoryA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_00663B20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_005B1F8C FindClose,FindFirstFileExW,GetLastError, 0_2_005B1F8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_005B2012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 0_2_005B2012
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_006113F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 0_2_006113F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0083D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 7_2_0083D2B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_008233B0 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose, 7_2_008233B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007F1A60 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,LocalFree, 7_2_007F1A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00843B20 CreateDirectoryA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 7_2_00843B20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00791F8C FindClose,FindFirstFileExW,GetLastError, 7_2_00791F8C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00792012 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 7_2_00792012
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007F13F0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 7_2_007F13F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_0065D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0065D2B0
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_703cab63ddfc30e52e5285a77dd3d65328718bd_cadc5c4f_ca1ea967-fef8-45d7-a94d-43811e9047c7\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MPGPH131.exe_f7fc5d77e4181bfc8c190387d813954cf99dd80_2d68038f_ba0e7d69-f458-483a-978e-dbc15423d24c\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 3Windows 2012 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, 00000008.00000002.2092950272.0000000001B63000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_2181566Dom
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 11 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, 00000008.00000002.2092162134.0000000001A81000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWx
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: #Windows 10 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 8.1 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 8 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 3Windows 2016 Server Standard without Hyper-V (core)
Source: MPGPH131.exe, 00000007.00000002.2104214514.00000000017CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWr
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.000000000189B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 3Windows 11 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.0000000001896000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000n&
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: (Windows 2012 R2 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 11 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 6Windows 2012 R2 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (core)
Source: RageMP131.exe, 0000000F.00000002.2194242592.00000000014F7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000005F
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (core)
Source: RageMP131.exe, 0000000D.00000002.2101248987.00000000074A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}es=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowswwiV
Source: Amcache.hve.20.dr Binary or memory string: vmci.sys
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 0Windows 8 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 6Windows 8.1 Essential Server Solutions without Hyper-V
Source: RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: vmware
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 4Windows 8 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 5Windows 2012 Server Datacenter without Hyper-V (full)
Source: MPGPH131.exe, 00000007.00000002.2104214514.000000000179A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`c}
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2016 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.20.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.20.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.20.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.20.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: "Windows 8 Microsoft Hyper-V Server
Source: MPGPH131.exe, 00000007.00000003.2027559370.000000000182C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}JO
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (full)
Source: Amcache.hve.20.dr Binary or memory string: VMware Virtual USB Mouse
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V
Source: RageMP131.exe, 0000000F.00000003.1944329420.000000000155D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2012 R2 Microsoft Hyper-V Server
Source: Amcache.hve.20.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 8.1 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2012 R2 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Hyper-V (guest)
Source: Amcache.hve.20.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.20.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2012 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 10 Microsoft Hyper-V Server
Source: Amcache.hve.20.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.20.dr Binary or memory string: \driver\vmci,\driver\pci
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000857000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000A37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000A37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000009F7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000009F7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: ~VirtualMachineTypes
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000857000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000A37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000A37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000009F7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000009F7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: ]DLL_Loader_VirtualMachine
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2016 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000857000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000A37000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000A37000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000009F7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000009F7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: /Windows 2012 R2 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 11 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: )Windows 8 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 5Windows 2016 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: %Windows 2012 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Hyper-V
Source: Amcache.hve.20.dr Binary or memory string: VMware
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: $Windows 8.1 Microsoft Hyper-V Server
Source: MPGPH131.exe, 00000007.00000002.2104214514.000000000173D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_2181566DpzIzG
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: ,Windows 2012 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018DC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J65EtqTQ2ruTWZeEW0ke6pZu6LLcKCEPSL9PtJkfCzME
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2012 Microsoft Hyper-V Server
Source: MPGPH131.exe, 00000007.00000002.2104214514.000000000179A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.20.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 10 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 8 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018DC000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.2104214514.00000000017CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.2092162134.0000000001AB1000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000D.00000002.2099657926.0000000001A8A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2194242592.0000000001553000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000F.00000002.2194242592.0000000001594000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 8Windows 2012 R2 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 10 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 0000000D.00000003.1868798904.0000000001A9C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 7Windows 2012 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.20.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: %Windows 2016 Microsoft Hyper-V Server
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 5Windows 2012 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 3Windows 11 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 7Windows 2016 Essential Server Solutions without Hyper-V
Source: MPGPH131.exe, 00000007.00000002.2104214514.00000000017A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91e
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: +Windows 8.1 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018DC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}es=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\Windowsee
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 3Windows 10 Server Datacenter without Hyper-V (core)
Source: Amcache.hve.20.dr Binary or memory string: VMware20,1
Source: Amcache.hve.20.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.20.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.20.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 11 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.20.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.20.dr Binary or memory string: VMware VMCI Bus Device
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 11 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 5Windows 2016 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (core)
Source: RageMP131.exe, 0000000F.00000002.2194242592.0000000001594000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW<A
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (core)
Source: Amcache.hve.20.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 10 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: :Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 5Windows 11 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2016 Server Standard without Hyper-V (core)
Source: Amcache.hve.20.dr Binary or memory string: vmci.syshbin
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 8 Server Standard without Hyper-V (core)
Source: Amcache.hve.20.dr Binary or memory string: VMware, Inc.
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 5Windows 10 Essential Server Solutions without Hyper-V
Source: Amcache.hve.20.dr Binary or memory string: VMware20,1hbin@
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 8Windows 2012 R2 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: xVBoxService.exe
Source: Amcache.hve.20.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 3Windows 10 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 8.1 Server Enterprise without Hyper-V (full)
Source: Amcache.hve.20.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 8 Server Enterprise without Hyper-V (core)
Source: RageMP131.exe, 0000000D.00000002.2099657926.0000000001B68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_2181566Dd":fa'O
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: *Windows 11 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2012 R2 Essential Server Solutions without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: ,Windows 2016 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2012 Server Standard without Hyper-V (core)
Source: Amcache.hve.20.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 8.1 Server Datacenter without Hyper-V (core)
Source: MPGPH131.exe, 00000007.00000002.2104666258.0000000001865000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b},"signin_last_updated_time":1696333686.296287},"sentinel_creation_time":"13340807286316564","shutdown":{"num_processes":0,"num_processes_slow":0,"type":0},"smartscreen":{"enabled":true,"pua_protection_enabled":false},"subresource_filter":{"ruleset_version":{"checksum":0,"content":"","format":0}},"tab_stats":{"last_daily_sample":"13340807614137712"},"telemetry_client":{"host_telclient_path":"QzpcUHJvZ3JhbSBGaWxlcyAoeDg2KVxNaWNyb3NvZnRcRWRnZVxBcHBsaWNhdGlvblw5Mi4wLjkwMi42N1x0ZWxjbGllbnQuZGxs","install_source_name":"windows","os_integration_level":5,"sample_id":57862835,"updater_version":"1.3.147.37","windows_update_applied":false},"ukm":{"persisted_logs":[]},"uninstall_metrics":{"installation_date2":"1696333686"},"user_experience_metrics":{"client_id2":"48ea0ba2-e9bb-4568-92cb-0f42a5c5d505","diagnostics":{"last_data_collection_level_on_launch":1},"low_entropy_source3":6122,"payload_counter":1,"pseudo_low_entropy_source":1088,"session_id":2,"stability":{"browser_last_live_timestamp":"13340894512964064","child_process_crash_count":0,"crash_count":0,"exited_cleanly":true,"extension_renderer_crash_count":0,"extension_renderer_failed_launch_count":0,"extension_renderer_launch_count":6,"gpu_crash_count":0,"incomplete_session_end_count":0,"launch_count":3,"page_load_count":7,"plugin_stats2":[],"renderer_crash_count":0,"renderer_failed_launch_count":0,"renderer_hang_count":0,"renderer_launch_count":3,"session_end_completed":true,"stats_buildtime":"1628133952","stats_version":"92.0.902.67-64","system_crash_count":0}},"variations_compressed_seed":"H4sIAAAAAAAAAJVYXXPiyA79K7d49qWwmcmSmboPfGWS2iQQTJI7tbuVamxh+sZ0e9ptCJnKf79H/iAQMLP7kDi2jk6rpZZays/GMIyo8eVnoxum41jYuTbL//I3ekn4Mykxi+mChM0MpY0vfzSWKYu7YYW+T+kqJGWl3TT+enMaA5mySl+olUhHo/GEacLi4y5PCdDJRKSWjHwVVmqVU/ACFzqO9ZqVHmlWck7oR0aprSEsDNvTu5AxqK8ldJxj8qmRUUSmm8i+CBa0Xdxf6CSRKh
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 8 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2016 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2016 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1664914507.00000000018AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}^3
Source: RageMP131.exe, 0000000D.00000002.2099657926.0000000001B68000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_2181566D
Source: RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: VBoxService.exe
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 8.1 Server Standard without Hyper-V
Source: Amcache.hve.20.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: *Windows 10 Server Standard without Hyper-V
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 1Windows 11 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 1Windows 10 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2012 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 2012 Server Datacenter without Hyper-V (full)
Source: RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: VMWare
Source: Amcache.hve.20.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 4Windows 8.1 Server Enterprise without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: Windows 10 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 2Windows 8.1 Server Standard without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 2Windows 8 Server Datacenter without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 4Windows 8.1 Server Datacenter without Hyper-V (core)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018DC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}J6HEdjEHUub5EtqTQ2dk3wwrCNfruTWZeEqONRrqgXAW0ke6pZXg==_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=*
Source: RageMP131.exe, 0000000D.00000002.2099657926.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 2Windows 8 Server Enterprise without Hyper-V (full)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2085940359.0000000000727000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000007.00000002.2103118221.0000000000907000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000008.00000002.2091075481.0000000000907000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 0000000D.00000002.2098376243.00000000008C7000.00000040.00000001.01000000.00000008.sdmp, RageMP131.exe, 0000000F.00000002.2193200592.00000000008C7000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: #Windows 11 Microsoft Hyper-V Server
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Thread information set: HideFromDebugger
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_005B8A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_005B8A54
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_0064C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_0064C630
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_00644130 mov eax, dword ptr fs:[00000030h] 0_2_00644130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_00611A60 mov eax, dword ptr fs:[00000030h] 0_2_00611A60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00824130 mov eax, dword ptr fs:[00000030h] 7_2_00824130
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_007F1A60 mov eax, dword ptr fs:[00000030h] 7_2_007F1A60
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_00666E20 GetLastError,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree, 0_2_00666E20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_005B450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_005B450D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_005B8A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_005B8A54
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0079450D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_0079450D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_00798A54 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00798A54

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_0064C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 0_2_0064C630
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: 7_2_0082C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject, 7_2_0082C630
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0065D2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: GetLocaleInfoW, 0_2_005D31B8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: EnumSystemLocalesW, 0_2_005CB1A3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_005D32E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: GetLocaleInfoW, 0_2_005D33E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_005D34BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: GetLocaleInfoW, 0_2_005CB726
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_005D2B48
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: GetLocaleInfoW, 0_2_005D2D4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: EnumSystemLocalesW, 0_2_005D2DF4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: EnumSystemLocalesW, 0_2_005D2E3F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: EnumSystemLocalesW, 0_2_005D2EDA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_005D2F65
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 7_2_0083D2B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 7_2_007B31B8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 7_2_007AB1A3
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 7_2_007B32E1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 7_2_007B33E7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 7_2_007B34BD
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 7_2_007AB726
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 7_2_007B2B48
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW, 7_2_007B2D4D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 7_2_007B2DF4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 7_2_007B2E3F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: EnumSystemLocalesW, 7_2_007B2EDA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 7_2_007B2F65
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_0065D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0065D2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_0065D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0065D2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Code function: 0_2_0065D2B0 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 0_2_0065D2B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.20.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.20.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.20.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.20.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000003.1901048371.0000000001983000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1901198665.0000000001994000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2092162134.0000000001A27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2092743314.0000000001B18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1901048371.0000000001993000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2104666258.000000000186E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2086799247.000000000183E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1997073810.0000000001890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1996378466.0000000001890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1996163003.0000000001890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2027506796.0000000001892000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2025987376.0000000001B61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2104822243.0000000001894000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2087269629.0000000001983000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2104214514.000000000173D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2026230623.0000000001B6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2026205617.0000000001B62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2092977467.0000000001B6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2099657926.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2027559370.000000000186E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2025987376.0000000001B16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe PID: 796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7212, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 9080, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\_GC5VU0C8TlDHIYOayOodaC.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\6vITM1PSugWZudEYSR57YQU.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\gWpl3DKIKrL9jhWS6lgcZ2J.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000003.1834968833.0000000001946000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Liberty Extension
Source: MPGPH131.exe, 00000007.00000002.2106455749.0000000007650000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet1
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: MPGPH131.exe, 00000007.00000002.2106455749.0000000007650000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet1
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\app-store.json*Y
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsns
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018DC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet*
Source: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe, 00000000.00000002.2086799247.00000000018D0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Livec
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Yara detected Credential Stealer
Source: Yara match File source: 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2092162134.0000000001AB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2104214514.00000000017CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2086799247.00000000018DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe PID: 796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7212, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8700, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000003.1901048371.0000000001983000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1901198665.0000000001994000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2092162134.0000000001A27000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2099657926.0000000001AB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2092743314.0000000001B18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1901048371.0000000001993000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2104666258.000000000186E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2086799247.000000000183E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1997073810.0000000001890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1996378466.0000000001890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1996163003.0000000001890000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2027506796.0000000001892000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2025987376.0000000001B61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2104822243.0000000001894000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2087269629.0000000001983000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2104214514.000000000173D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2026230623.0000000001B6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2026205617.0000000001B62000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2092977467.0000000001B6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2099657926.0000000001A2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2027559370.000000000186E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2025987376.0000000001B16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe PID: 796, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 6788, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MPGPH131.exe PID: 7212, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 8700, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: RageMP131.exe PID: 9080, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\_GC5VU0C8TlDHIYOayOodaC.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\6vITM1PSugWZudEYSR57YQU.zip, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\gWpl3DKIKrL9jhWS6lgcZ2J.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1435791 Sample: SecuriteInfo.com.Win32.PWSX... Startdate: 03/05/2024 Architecture: WINDOWS Score: 100 61 ipinfo.io 2->61 63 db-ip.com 2->63 75 Snort IDS alert for network traffic 2->75 77 Multi AV Scanner detection for domain / URL 2->77 79 Antivirus detection for URL or domain 2->79 81 5 other signatures 2->81 8 SecuriteInfo.com.Win32.PWSX-gen.11739.16980.exe 6 62 2->8         started        13 chrome.exe 2->13         started        15 RageMP131.exe 2->15         started        17 3 other processes 2->17 signatures3 process4 dnsIp5 65 147.45.47.93, 49730, 49744, 49745 FREE-NET-ASFREEnetEU Russian Federation 8->65 67 ipinfo.io 34.117.186.192, 443, 49734, 49748 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG United States 8->67 69 db-ip.com 104.26.5.15, 443, 49737, 49752 CLOUDFLARENETUS United States 8->69 45 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 8->45 dropped 47 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 8->47 dropped 49 C:\Users\user\...\gWpl3DKIKrL9jhWS6lgcZ2J.zip, Zip 8->49 dropped 91 Detected unpacking (changes PE section rights) 8->91 93 Tries to steal Mail credentials (via file / registry access) 8->93 95 Found many strings related to Crypto-Wallets (likely being stolen) 8->95 105 3 other signatures 8->105 19 schtasks.exe 1 8->19         started        21 schtasks.exe 1 8->21         started        23 WerFault.exe 8->23         started        25 MPGPH131.exe 5 50 13->25         started        28 chrome.exe 13->28         started        51 C:\Users\user\...\6vITM1PSugWZudEYSR57YQU.zip, Zip 15->51 dropped 97 Antivirus detection for dropped file 15->97 99 Multi AV Scanner detection for dropped file 15->99 101 Tries to harvest and steal browser information (history, passwords, etc) 15->101 30 WerFault.exe 15->30         started        71 192.168.2.4, 138, 443, 49730 unknown unknown 17->71 73 239.255.255.250 unknown Reserved 17->73 53 C:\Users\user\...\_GC5VU0C8TlDHIYOayOodaC.zip, Zip 17->53 dropped 103 Hides threads from debuggers 17->103 32 chrome.exe 17->32         started        35 chrome.exe 17->35         started        37 WerFault.exe 17->37         started        file6 signatures7 process8 dnsIp9 39 conhost.exe 19->39         started        41 conhost.exe 21->41         started        83 Antivirus detection for dropped file 25->83 85 Multi AV Scanner detection for dropped file 25->85 87 Detected unpacking (changes PE section rights) 25->87 89 6 other signatures 25->89 43 WerFault.exe 25->43         started        55 www.google.com 142.250.72.100, 443, 49738, 49739 GOOGLEUS United States 32->55 57 google.com 32->57 59 142.250.176.196, 443, 49783 GOOGLEUS United States 35->59 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
142.250.176.196
 unknown United States
15169 GOOGLEUS false
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false
239.255.255.250
 unknown Reserved
unknown unknown false
147.45.47.93
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
142.250.72.100
 www.google.com United States
15169 GOOGLEUS false

Private

IP
192.168.2.4

Contacted Domains

Name IP Active
google.com 172.217.4.46 true
ipinfo.io 34.117.186.192 true
www.google.com 142.250.72.100 true
db-ip.com 104.26.5.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.google.com/sorry/index?continue=https://www.google.com/async/ddljson%3Fasync%3Dntp:2&q=EgS_YOPbGLbp0bEGIjDNZc3MZHlf1E0orMqnosUmz6W763DCXYHXDGytrbaZJcGJLjun_vRC8GiTovYLXb8yAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
    		high
    https://db-ip.com/demo/home.php?s=191.96.227.219 false
      		high
      https://www.google.com/async/newtab_ogb?hl=en-US&async=fixed:0 false
        		high
        https://ipinfo.io/widget/demo/191.96.227.219 false
          		high
          https://www.google.com/async/newtab_promos false
            		high
            https://www.google.com/async/ddljson?async=ntp:2 false
              		high
              https://www.google.com/sorry/index?continue=https://www.google.com/async/newtab_ogb%3Fhl%3Den-US%26async%3Dfixed:0&hl=en-US&q=EgS_YOPbGLbp0bEGIjA9RjS4dnTf9TMc_WNOZoEqYCGZPMusvyHbkcGkBp0b60YgEyf8aWQGPDnoAkT6yZQyAXJKGVNPUlJZX0FCVVNJVkVfTkVUX01FU1NBR0VaAUM false
                		high