Source: file.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: Traffic |
Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49732 -> 193.233.132.47:50500 |
Source: Traffic |
Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.47:50500 -> 192.168.2.4:49732 |
Source: Traffic |
Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 193.233.132.47:50500 |
Source: global traffic |
TCP traffic: 192.168.2.4:49732 -> 193.233.132.47:50500 |
Source: Joe Sandbox View |
ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 193.233.132.47 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E14EB0 recv,recv,recv,recv,setsockopt,recv,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep, |
0_2_00E14EB0 |
Source: file.exe |
String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t |
Source: file.exe |
String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0# |
Source: file.exe |
String found in binary or memory: http://ocsp.sectigo.com0 |
Source: file.exe, 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: http://www.winimage.com/zLibDll |
Source: file.exe, 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmp |
String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll |
Source: file.exe |
String found in binary or memory: https://sectigo.com/CPS0 |
Source: file.exe, 00000000.00000002.4096544778.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t.me/RiseProSUPPORT |
Source: file.exe, 00000000.00000002.4096544778.0000000000B5E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: https://t.me/RiseProSUPPORTlLHT |
Source: C:\Users\user\Desktop\file.exe |
Process Stats: CPU usage > 49% |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F32D85 |
0_2_00F32D85 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E940A0 |
0_2_00E940A0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00D9001D |
0_2_00D9001D |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E881A0 |
0_2_00E881A0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_011AC316 |
0_2_011AC316 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E54220 |
0_2_00E54220 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E64220 |
0_2_00E64220 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00D9035F |
0_2_00D9035F |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E40350 |
0_2_00E40350 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E50520 |
0_2_00E50520 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00DA47AD |
0_2_00DA47AD |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E8C8D0 |
0_2_00E8C8D0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00D8C950 |
0_2_00D8C950 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E94AE0 |
0_2_00E94AE0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E44AA0 |
0_2_00E44AA0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_01040B69 |
0_2_01040B69 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E44CD0 |
0_2_00E44CD0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_01130D7A |
0_2_01130D7A |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E3CD20 |
0_2_00E3CD20 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00DA8E20 |
0_2_00DA8E20 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E3CFC0 |
0_2_00E3CFC0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E44F70 |
0_2_00E44F70 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0118D145 |
0_2_0118D145 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E45070 |
0_2_00E45070 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E51040 |
0_2_00E51040 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00D5D199 |
0_2_00D5D199 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00D61135 |
0_2_00D61135 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E4D320 |
0_2_00E4D320 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E554A0 |
0_2_00E554A0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E3D7D0 |
0_2_00E3D7D0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F557C3 |
0_2_00F557C3 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00D61743 |
0_2_00D61743 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E618D0 |
0_2_00E618D0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E45960 |
0_2_00E45960 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E95A40 |
0_2_00E95A40 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00D9DA74 |
0_2_00D9DA74 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00D59C90 |
0_2_00D59C90 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E45EB0 |
0_2_00E45EB0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E4DF20 |
0_2_00E4DF20 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E820C0 |
0_2_00E820C0 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0116A5B5 |
0_2_0116A5B5 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00EF269F |
0_2_00EF269F |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00D8A918 |
0_2_00D8A918 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E86B30 |
0_2_00E86B30 |
Source: C:\Users\user\Desktop\file.exe |
Code function: String function: 00D84370 appears 39 times |
|
Source: C:\Users\user\Desktop\file.exe |
Code function: String function: 00E94890 appears 52 times |
|
Source: file.exe |
Static PE information: invalid certificate |
Source: file.exe, 00000000.00000000.1640274378.000000000148D000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenameSetup.exe@ vs file.exe |
Source: file.exe |
Binary or memory string: OriginalFilenameSetup.exe@ vs file.exe |
Source: file.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine |
Classification label: mal88.troj.evad.winEXE@1/0@0/1 |
Source: C:\Users\user\Desktop\file.exe |
File created: C:\Users\user\AppData\Local\Temp\trixyJzclrbU7IL69 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: file.exe, file.exe, 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q); |
Source: file.exe, 00000000.00000002.4096948995.0000000000EAA000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger'); |
Source: file.exe |
Virustotal: Detection: 20% |
Source: C:\Users\user\Desktop\file.exe |
File read: C:\Users\user\Desktop\file.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: rstrtmgr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: d3d11.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: dxgi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: resourcepolicyclient.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: d3d10warp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: dxcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Section loaded: devobj.dll |
Jump to behavior |
Source: file.exe |
Static PE information: Virtual size of .text is bigger than: 0x100000 |
Source: file.exe |
Static file information: File size 4019448 > 1048576 |
Source: file.exe |
Static PE information: Raw size of .vmp is bigger than: 0x100000 < 0x3a7e00 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E1C630 LoadLibraryA,GetProcAddress, |
0_2_00E1C630 |
Source: initial sample |
Static PE information: section where entry point is pointing to: .vmp |
Source: file.exe |
Static PE information: section name: .vmp |
Source: file.exe |
Static PE information: section name: .vmp |
Source: file.exe |
Static PE information: section name: .vmp |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_01014B01 pushad ; iretd |
0_2_01014B7F |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010B0CD0 push edx; ret |
0_2_010B0CE4 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00FD4E38 push eax; ret |
0_2_00FD4E55 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_011992A3 push ss; iretd |
0_2_011992F5 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00FED780 push eax; ret |
0_2_00FED836 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0110996D push ebx; ret |
0_2_010E6B57 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00D762CE push ds; retf |
0_2_00D762CF |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00F6E854 push esp; ret |
0_2_00F6E85F |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0110E9E3 push eax; retf |
0_2_0117CFFE |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_010E6B26 push ebx; ret |
0_2_010E6B57 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_0108AD93 pushfd ; ret |
0_2_0102181F |
Source: C:\Users\user\Desktop\file.exe |
Memory written: PID: 7044 base: 7F0005 value: E9 2B BA 6D 76 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: PID: 7044 base: 76ECBA30 value: E9 DA 45 92 89 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: PID: 7044 base: B40008 value: E9 8B 8E 3D 76 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: PID: 7044 base: 76F18E90 value: E9 80 71 C2 89 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: PID: 7044 base: C60005 value: E9 8B 4D F9 74 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: PID: 7044 base: 75BF4D90 value: E9 7A B2 06 8B |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: PID: 7044 base: C70005 value: E9 EB EB F9 74 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: PID: 7044 base: 75C0EBF0 value: E9 1A 14 06 8B |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: PID: 7044 base: C90005 value: E9 8B 8A 34 74 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: PID: 7044 base: 74FD8A90 value: E9 7A 75 CB 8B |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: PID: 7044 base: CA0005 value: E9 2B 02 36 74 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Memory written: PID: 7044 base: 75000230 value: E9 DA FD C9 8B |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Sandbox detection routine: GetCursorPos, DecisionNode, Sleep |
Source: C:\Users\user\Desktop\file.exe |
Evasive API call chain: GetPEB, DecisionNodes, Sleep |
Source: C:\Users\user\Desktop\file.exe |
Stalling execution: Execution stalls by calling Sleep |
Source: Initial file |
Signature Results: Thread-based counter |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00FB8A20 rdtsc |
0_2_00FB8A20 |
Source: C:\Users\user\Desktop\file.exe |
Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos, |
0_2_00DADA50 |
Source: C:\Users\user\Desktop\file.exe |
Window / User API: threadDelayed 2988 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Window / User API: threadDelayed 6871 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec) |
Source: C:\Users\user\Desktop\file.exe |
API coverage: 9.7 % |
Source: C:\Users\user\Desktop\file.exe TID: 7072 |
Thread sleep count: 2988 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe TID: 7072 |
Thread sleep time: -301788s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe TID: 7072 |
Thread sleep count: 6871 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe TID: 7072 |
Thread sleep time: -693971s >= -30000s |
Jump to behavior |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\file.exe |
Last function: Thread delayed |
Source: C:\Users\user\Desktop\file.exe |
Last function: Thread delayed |
Source: file.exe, 00000000.00000002.4096544778.0000000000B50000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000& |
Source: file.exe, 00000000.00000003.1661389596.0000000000BBF000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} |
Source: file.exe, 00000000.00000002.4096544778.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}s |
Source: file.exe, 00000000.00000003.1661389596.0000000000BBF000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} |
Source: file.exe, 00000000.00000002.4096544778.0000000000BAA000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll |
Source: C:\Users\user\Desktop\file.exe |
Process information queried: ProcessInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Process Stats: CPU usage > 42% for more than 60s |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00FB8A20 rdtsc |
0_2_00FB8A20 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00E1C630 LoadLibraryA,GetProcAddress, |
0_2_00E1C630 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00DADA50 mov eax, dword ptr fs:[00000030h] |
0_2_00DADA50 |
Source: C:\Users\user\Desktop\file.exe |
Code function: 0_2_00DADA50 mov eax, dword ptr fs:[00000030h] |
0_2_00DADA50 |
Source: all processes |
Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected |
Source: C:\Users\user\Desktop\file.exe |
Queries volume information: C:\ VolumeInformation |
Jump to behavior |
Source: C:\Users\user\Desktop\file.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 7044, type: MEMORYSTR |
Source: Yara match |
File source: Process Memory Space: file.exe PID: 7044, type: MEMORYSTR |