Source: SajWKdHxdF.exe |
ReversingLabs: Detection: 26% |
Source: SajWKdHxdF.exe |
Virustotal: Detection: 28% |
Perma Link |
Source: SajWKdHxdF.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: |
Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E1C000.00000002.00000001.01000000.00000003.sdmp |
Source: |
Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdbP@n@ `@_CorExeMainmscoree.dll source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E11000.00000002.00000001.01000000.00000003.sdmp |
Source: |
Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E11000.00000002.00000001.01000000.00000003.sdmp |
Source: |
Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb,ANA @A_CorExeMainmscoree.dll source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E1C000.00000002.00000001.01000000.00000003.sdmp |
Source: |
Binary string: Z:\Development\Secureuser\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: SajWKdHxdF.exe, 00000001.00000002.4049028223.00000000005CB000.00000040.00000001.01000000.00000003.sdmp |
Source: Traffic |
Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49738 -> 193.233.132.226:50500 |
Source: Traffic |
Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.226:50500 -> 192.168.2.4:49738 |
Source: Traffic |
Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49738 -> 193.233.132.226:50500 |
Source: Traffic |
Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 193.233.132.226:50500 -> 192.168.2.4:49738 |
Source: Traffic |
Snort IDS: 2046268 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Get_settings) 192.168.2.4:49738 -> 193.233.132.226:50500 |
Source: global traffic |
TCP traffic: 192.168.2.6:49732 -> 193.233.132.226:50500 |
Source: Joe Sandbox View |
IP Address: 193.233.132.226 193.233.132.226 |
Source: Joe Sandbox View |
ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.226 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.226 |
Source: SajWKdHxdF.exe |
String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t |
Source: SajWKdHxdF.exe |
String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0# |
Source: SajWKdHxdF.exe |
String found in binary or memory: http://ocsp.sectigo.com0 |
Source: SajWKdHxdF.exe, 00000001.00000002.4048938533.0000000000515000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://www.winimage.com/zLibDll |
Source: SajWKdHxdF.exe, 00000001.00000002.4048938533.0000000000515000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://www.winimage.com/zLibDllDpRTpR |
Source: SajWKdHxdF.exe, 00000001.00000002.4048938533.0000000000515000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll |
Source: SajWKdHxdF.exe |
String found in binary or memory: https://sectigo.com/CPS0 |
Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000E98000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t.me/RiseProSUPPORT |
Source: SajWKdHxdF.exe |
Static PE information: invalid certificate |
Source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E11000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameSetupAfterRebootService.exeP vs SajWKdHxdF.exe |
Source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E1C000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameSetupAfterRebootService.exeP vs SajWKdHxdF.exe |
Source: SajWKdHxdF.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED |
Source: classification engine |
Classification label: mal100.troj.evad.winEXE@1/0@0/1 |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
File created: C:\Users\user\AppData\Local\Temp\adobe_WCOljeGXatR |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: SajWKdHxdF.exe, 00000001.00000002.4048938533.0000000000515000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q); |
Source: SajWKdHxdF.exe, 00000001.00000002.4048938533.0000000000515000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger'); |
Source: SajWKdHxdF.exe |
ReversingLabs: Detection: 26% |
Source: SajWKdHxdF.exe |
Virustotal: Detection: 28% |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
File read: C:\Users\user\Desktop\SajWKdHxdF.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Section loaded: rstrtmgr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Section loaded: d3d11.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Section loaded: dxgi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Section loaded: resourcepolicyclient.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Section loaded: d3d10warp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Section loaded: dxcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Section loaded: devobj.dll |
Jump to behavior |
Source: SajWKdHxdF.exe |
Static file information: File size 4156656 > 1048576 |
Source: SajWKdHxdF.exe |
Static PE information: Raw size of .MPRESS1 is bigger than: 0x100000 < 0x3d0000 |
Source: |
Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E1C000.00000002.00000001.01000000.00000003.sdmp |
Source: |
Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdbP@n@ `@_CorExeMainmscoree.dll source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E11000.00000002.00000001.01000000.00000003.sdmp |
Source: |
Binary string: E:\HD_Audio\VS2005\Resetup\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E11000.00000002.00000001.01000000.00000003.sdmp |
Source: |
Binary string: D:\TestProject\SetupAfterRebootService\SetupAfterRebootService\obj\Release\SetupAfterRebootService.pdb,ANA @A_CorExeMainmscoree.dll source: SajWKdHxdF.exe, 00000001.00000002.4049697794.0000000000E1C000.00000002.00000001.01000000.00000003.sdmp |
Source: |
Binary string: Z:\Development\Secureuser\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: SajWKdHxdF.exe, 00000001.00000002.4049028223.00000000005CB000.00000040.00000001.01000000.00000003.sdmp |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Unpacked PE file: 1.2.SajWKdHxdF.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W; |
Source: initial sample |
Static PE information: section where entry point is pointing to: .MPRESS2 |
Source: SajWKdHxdF.exe |
Static PE information: section name: .MPRESS1 |
Source: SajWKdHxdF.exe |
Static PE information: section name: .MPRESS2 |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Window searched: window name: FilemonClass |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Window searched: window name: PROCMON_WINDOW_CLASS |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Window searched: window name: RegmonClass |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
System information queried: FirmwareTableInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Special instruction interceptor: First address: 6CCCA0 instructions caused by: Self-modifying code |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Window / User API: threadDelayed 3211 |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Window / User API: threadDelayed 6642 |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe TID: 3212 |
Thread sleep count: 3211 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe TID: 3212 |
Thread sleep time: -324311s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe TID: 3212 |
Thread sleep count: 6642 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe TID: 3212 |
Thread sleep time: -670842s >= -30000s |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Last function: Thread delayed |
Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} |
Source: SajWKdHxdF.exe, 00000001.00000003.2214578242.0000000000E80000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: \SystemRoot\system32\ntkrnmp.exeSDT\VBOX__=l{TW |
Source: SajWKdHxdF.exe, 00000001.00000002.4048821640.0000000000193000.00000004.00000010.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} |
Source: SajWKdHxdF.exe, 00000001.00000003.2214462223.0000000000E80000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeST\VBOX__=l{TW |
Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000E90000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000 |
Source: SajWKdHxdF.exe, 00000001.00000003.2215301089.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, SajWKdHxdF.exe, 00000001.00000003.2215187926.0000000000E80000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeSDT\VBOX__=l{TW |
Source: SajWKdHxdF.exe, 00000001.00000003.2214731973.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, SajWKdHxdF.exe, 00000001.00000003.2214843586.0000000000E80000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: \SystemRoot\system32\ntkrnlp.exeSDT\VBOX__=l{TW |
Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll+ |
Source: SajWKdHxdF.exe, 00000001.00000003.2215415343.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, SajWKdHxdF.exe, 00000001.00000003.2215074046.0000000000E80000.00000004.00001000.00020000.00000000.sdmp, SajWKdHxdF.exe, 00000001.00000003.2214959564.0000000000E80000.00000004.00001000.00020000.00000000.sdmp |
Binary or memory string: \SystemRoot\system32\ntkrnlm.exeSDT\VBOX__=l{TW |
Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000EEF000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f5 |
Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000E90000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000s |
Source: SajWKdHxdF.exe, 00000001.00000002.4049846063.0000000000EE5000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
System information queried: ModuleInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Process Stats: CPU usage > 42% for more than 60s |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Thread information set: HideFromDebugger |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Open window title or class name: regmonclass |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Open window title or class name: gbdyllo |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Open window title or class name: process monitor - sysinternals: www.sysinternals.com |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Open window title or class name: procmon_window_class |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Open window title or class name: registry monitor - sysinternals: www.sysinternals.com |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Open window title or class name: ollydbg |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Open window title or class name: filemonclass |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Open window title or class name: file monitor - sysinternals: www.sysinternals.com |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Process queried: DebugPort |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Process queried: DebugObjectHandle |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Process queried: DebugPort |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\SajWKdHxdF.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: 1.2.SajWKdHxdF.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: Process Memory Space: SajWKdHxdF.exe PID: 1424, type: MEMORYSTR |
Source: Yara match |
File source: 1.2.SajWKdHxdF.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: Process Memory Space: SajWKdHxdF.exe PID: 1424, type: MEMORYSTR |