Windows Analysis Report
j1zkOQTx4q.exe

Overview

General Information

Sample name:	j1zkOQTx4q.exe renamed because original name is a hash value
Original sample name:	c49a9a589af8da0d09c69670b2579ab9.exe
Analysis ID:	1431969
MD5:	c49a9a589af8da0d09c69670b2579ab9
SHA1:	51a936428711d9bd1307ffd3e75436a0e4568eb2
SHA256:	a411f79466c5b91feae82cddf2cff3cd20130cec9955bf5003f0ce1febd5143f
Tags:	32exe
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

Hides threads from debuggers

Query firmware table information (likely to detect VMs)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Detected TCP or UDP traffic on non-standard ports

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Yara detected Credential Stealer

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://193.233.132.253/lumma2104.exe	Avira URL Cloud: Label: malware
Source: http://5.42.66.10/download/th/Retailer_prog.exe	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://193.233.132.253/lumma2104.exe	Virustotal: Detection: 22%			Perma Link
Source: http://5.42.66.10/download/th/Retailer_prog.exe	Virustotal: Detection: 23%			Perma Link

Multi AV Scanner detection for submitted file

Source: j1zkOQTx4q.exe	ReversingLabs: Detection: 47%
Source: j1zkOQTx4q.exe	Virustotal: Detection: 14%			Perma Link

Uses 32bit PE files

Source: j1zkOQTx4q.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49741 version: TLS 1.2

Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\amd64\driver\wireguard.pdbGCTL source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\arm64\driver\wireguard.pdbGCTL source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2892096341.0000000000699000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\arm64\driver\wireguard.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\amd64\driver\wireguard.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\Jason A. Donenfeld\Projects\wireguard-nt\Release\arm64\setupapihost.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49732 -> 193.233.132.226:50500
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.226:50500 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 193.233.132.226:50500
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 193.233.132.226:50500 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2046268 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Get_settings) 192.168.2.4:49732 -> 193.233.132.226:50500

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 193.233.132.226:50500

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 5.42.66.10 5.42.66.10
Source: Joe Sandbox View	IP Address: 5.42.66.10 5.42.66.10
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 193.233.132.226 193.233.132.226

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

May check the online IP address of the machine

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /widget/demo/102.129.152.220 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.129.152.220 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226

Source: global traffic	HTTP traffic detected: GET /widget/demo/102.129.152.220 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.129.152.220 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/lumma2104.exe
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006484000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2891814780.000000000016F000.00000004.00000010.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006463000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/Retailer_prog.exe
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006484000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/Retailer_prog.exe(
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006463000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/Retailer_prog.exe845-4e4c-bd18-02b67a
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: j1zkOQTx4q.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: j1zkOQTx4q.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: j1zkOQTx4q.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: j1zkOQTx4q.exe, 00000000.00000002.2891954895.0000000000515000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: j1zkOQTx4q.exe, 00000000.00000002.2891954895.0000000000515000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=102.129.152.220
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=102.129.152.220e
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=102.129.152.220
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.000000000176A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.000000000179A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: j1zkOQTx4q.exe, 00000000.00000002.2891954895.0000000000515000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.000000000179A000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/102.129.152.220
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.000000000179A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/102.129.152.220
Source: j1zkOQTx4q.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: j1zkOQTx4q.exe, 00000000.00000003.2881418203.000000000648F000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2879892603.0000000006473000.00000004.00000020.00020000.00000000.sdmp, Dh4UFB9VlaROHistory.0.dr, 44JkKLWCBNJ9History.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Dh4UFB9VlaROHistory.0.dr, 44JkKLWCBNJ9History.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: j1zkOQTx4q.exe, 00000000.00000003.2881418203.000000000648F000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2879892603.0000000006473000.00000004.00000020.00020000.00000000.sdmp, Dh4UFB9VlaROHistory.0.dr, 44JkKLWCBNJ9History.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Dh4UFB9VlaROHistory.0.dr, 44JkKLWCBNJ9History.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006420000.00000004.00000020.00020000.00000000.sdmp, jTkI2DeqFXDxQHXHJ7lSt1A.zip.0.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2885919526.00000000064D7000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017FF000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr	String found in binary or memory: https://t.me/risepro_bot
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006420000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001727000.00000004.00000020.00020000.00000000.sdmp, Firefox_fqs92o4p.default-release.txt.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001727000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/;Q
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.000000000644B000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006420000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001770000.00000004.00000020.00020000.00000000.sdmp, Firefox_fqs92o4p.default-release.txt.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.000000000644B000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/tes_1;
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/txt
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.wireguard.com/
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.wireguard.com/D

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49741 version: TLS 1.2

PE / OLE file has an invalid certificate

Source: j1zkOQTx4q.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamewireguard.sysB vs j1zkOQTx4q.exe

Uses 32bit PE files

Source: j1zkOQTx4q.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/23@2/4

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite

Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

File created: C:\Users\user\AppData\Local\Temp\adobe25HiBSyPbReV

Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: j1zkOQTx4q.exe, 00000000.00000002.2891954895.0000000000515000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: j1zkOQTx4q.exe, 00000000.00000002.2891954895.0000000000515000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: j1zkOQTx4q.exe, 00000000.00000003.2883776118.0000000006463000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006463000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE autofill_profiles ( guid VARCHAR PRIMARY KEY, company_name VARCHAR, street_address VARCHAR, dependent_locality VARCHAR, city VARCHAR, state VARCHAR, zipcode VARCHAR, sorting_code VARCHAR, country_code VARCHAR, date_modified INTEGER NOT NULL DEFAULT 0, origin VARCHAR DEFAULT '', language_code VARCHAR, use_count INTEGER NOT NULL DEFAULT 0, use_date INTEGER NOT NULL DEFAULT 0, validity_bitfield UNSIGNED NOT NULL DEFAULT 0, is_client_validity_states_updated BOOL NOT NULL DEFAULT FALSE, label VARCHAR, disallow_settings_visible_updates INTEGER NOT NULL DEFAULT 0)R,last_visited INTEGER DEFAULT 0, created_from_play_api INTEGER DEFAULT 0);
Source: 6k0OzpAvOhwWLogin Data.0.dr, zB0jb1wxK8VALogin Data For Account.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: j1zkOQTx4q.exe	ReversingLabs: Detection: 47%
Source: j1zkOQTx4q.exe	Virustotal: Detection: 14%

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

File read: C:\Users\user\Desktop\j1zkOQTx4q.exe

Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: j1zkOQTx4q.exe

Static file information: File size 8976008 > 1048576

Source: j1zkOQTx4q.exe

Static PE information: Raw size of .MPRESS1 is bigger than: 0x100000 < 0x869a00

Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\amd64\driver\wireguard.pdbGCTL source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\arm64\driver\wireguard.pdbGCTL source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2892096341.0000000000699000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\arm64\driver\wireguard.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\amd64\driver\wireguard.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\Jason A. Donenfeld\Projects\wireguard-nt\Release\arm64\setupapihost.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Unpacked PE file: 0.2.j1zkOQTx4q.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .MPRESS2

PE file contains sections with non-standard names

Source: j1zkOQTx4q.exe	Static PE information: section name: .MPRESS1
Source: j1zkOQTx4q.exe	Static PE information: section name: .MPRESS2

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Window searched: window name: RegmonClass	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Window / User API: threadDelayed 491

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe TID: 6908	Thread sleep count: 52 > 30	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe TID: 6908	Thread sleep count: 491 > 30	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe TID: 6908	Thread sleep time: -49591s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe TID: 7028	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe TID: 6908	Thread sleep count: 31 > 30	Jump to behavior

Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: j1zkOQTx4q.exe, 00000000.00000003.1690726517.0000000001787000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b};O
Source: j1zkOQTx4q.exe, 00000000.00000003.1665895243.0000000001710000.00000004.00001000.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.1665980539.0000000001710000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlp.exeSDT\VBOX__
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.000000000177F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: j1zkOQTx4q.exe, 00000000.00000003.1690726517.0000000001787000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWQi
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.000000000645E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}xsegments_url_id
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001770000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: j1zkOQTx4q.exe, 00000000.00000003.1666222697.0000000001710000.00000004.00001000.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.1666299396.0000000001710000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeSDT\VBOX__
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006463000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&0000
Source: j1zkOQTx4q.exe, 00000000.00000003.1666141703.0000000001710000.00000004.00001000.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.1666375447.0000000001710000.00000004.00001000.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.1666065568.0000000001710000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlm.exeSDT\VBOX__

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Process queried: DebugObjectHandle	Jump to behavior

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 0.2.j1zkOQTx4q.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2895460297.0000000006420000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2889823463.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: j1zkOQTx4q.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jTkI2DeqFXDxQHXHJ7lSt1A.zip, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: j1zkOQTx4q.exe PID: 6884, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 0.2.j1zkOQTx4q.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2895460297.0000000006420000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2889823463.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: j1zkOQTx4q.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jTkI2DeqFXDxQHXHJ7lSt1A.zip, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.42.66.10	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	false
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
193.233.132.226	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
172.67.75.166	db-ip.com	United States	13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
ipinfo.io	34.117.186.192	true
db-ip.com	172.67.75.166	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/widget/demo/102.129.152.220	false		high
https://db-ip.com/demo/home.php?s=102.129.152.220	false		high

AV Detection

Antivirus detection for URL or domain

Source: http://193.233.132.253/lumma2104.exe	Avira URL Cloud: Label: malware
Source: http://5.42.66.10/download/th/Retailer_prog.exe	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://193.233.132.253/lumma2104.exe	Virustotal: Detection: 22%			Perma Link
Source: http://5.42.66.10/download/th/Retailer_prog.exe	Virustotal: Detection: 23%			Perma Link

Multi AV Scanner detection for submitted file

Source: j1zkOQTx4q.exe	ReversingLabs: Detection: 47%
Source: j1zkOQTx4q.exe	Virustotal: Detection: 14%			Perma Link

Uses 32bit PE files

Source: j1zkOQTx4q.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49741 version: TLS 1.2

Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\amd64\driver\wireguard.pdbGCTL source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\arm64\driver\wireguard.pdbGCTL source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2892096341.0000000000699000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\arm64\driver\wireguard.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\amd64\driver\wireguard.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\Jason A. Donenfeld\Projects\wireguard-nt\Release\arm64\setupapihost.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49732 -> 193.233.132.226:50500
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.226:50500 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 193.233.132.226:50500
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 193.233.132.226:50500 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2046268 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Get_settings) 192.168.2.4:49732 -> 193.233.132.226:50500

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 193.233.132.226:50500

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 5.42.66.10 5.42.66.10
Source: Joe Sandbox View	IP Address: 5.42.66.10 5.42.66.10
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 193.233.132.226 193.233.132.226

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

May check the online IP address of the machine

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /widget/demo/102.129.152.220 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.129.152.220 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226

Source: global traffic	HTTP traffic detected: GET /widget/demo/102.129.152.220 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.129.152.220 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/lumma2104.exe
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006484000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2891814780.000000000016F000.00000004.00000010.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006463000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/Retailer_prog.exe
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006484000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/Retailer_prog.exe(
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006463000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/Retailer_prog.exe845-4e4c-bd18-02b67a
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: j1zkOQTx4q.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: j1zkOQTx4q.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: j1zkOQTx4q.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: j1zkOQTx4q.exe, 00000000.00000002.2891954895.0000000000515000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: j1zkOQTx4q.exe, 00000000.00000002.2891954895.0000000000515000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=102.129.152.220
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=102.129.152.220e
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=102.129.152.220
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.000000000176A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.000000000179A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: j1zkOQTx4q.exe, 00000000.00000002.2891954895.0000000000515000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.000000000179A000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/102.129.152.220
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.000000000179A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/102.129.152.220
Source: j1zkOQTx4q.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: j1zkOQTx4q.exe, 00000000.00000003.2881418203.000000000648F000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2879892603.0000000006473000.00000004.00000020.00020000.00000000.sdmp, Dh4UFB9VlaROHistory.0.dr, 44JkKLWCBNJ9History.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Dh4UFB9VlaROHistory.0.dr, 44JkKLWCBNJ9History.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: j1zkOQTx4q.exe, 00000000.00000003.2881418203.000000000648F000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2879892603.0000000006473000.00000004.00000020.00020000.00000000.sdmp, Dh4UFB9VlaROHistory.0.dr, 44JkKLWCBNJ9History.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Dh4UFB9VlaROHistory.0.dr, 44JkKLWCBNJ9History.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006420000.00000004.00000020.00020000.00000000.sdmp, jTkI2DeqFXDxQHXHJ7lSt1A.zip.0.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2885919526.00000000064D7000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017FF000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr	String found in binary or memory: https://t.me/risepro_bot
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006420000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001727000.00000004.00000020.00020000.00000000.sdmp, Firefox_fqs92o4p.default-release.txt.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001727000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/;Q
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.000000000644B000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006420000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001770000.00000004.00000020.00020000.00000000.sdmp, Firefox_fqs92o4p.default-release.txt.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.000000000644B000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/tes_1;
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/txt
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.wireguard.com/
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.wireguard.com/D

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49741 version: TLS 1.2

PE / OLE file has an invalid certificate

Source: j1zkOQTx4q.exe

Static PE information: invalid certificate

Sample file is different than original file name gathered from version info

Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamewireguard.sysB vs j1zkOQTx4q.exe

Uses 32bit PE files

Source: j1zkOQTx4q.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/23@2/4

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite

Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

File created: C:\Users\user\AppData\Local\Temp\adobe25HiBSyPbReV

Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: j1zkOQTx4q.exe, 00000000.00000002.2891954895.0000000000515000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: j1zkOQTx4q.exe, 00000000.00000002.2891954895.0000000000515000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: j1zkOQTx4q.exe, 00000000.00000003.2883776118.0000000006463000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006463000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE autofill_profiles ( guid VARCHAR PRIMARY KEY, company_name VARCHAR, street_address VARCHAR, dependent_locality VARCHAR, city VARCHAR, state VARCHAR, zipcode VARCHAR, sorting_code VARCHAR, country_code VARCHAR, date_modified INTEGER NOT NULL DEFAULT 0, origin VARCHAR DEFAULT '', language_code VARCHAR, use_count INTEGER NOT NULL DEFAULT 0, use_date INTEGER NOT NULL DEFAULT 0, validity_bitfield UNSIGNED NOT NULL DEFAULT 0, is_client_validity_states_updated BOOL NOT NULL DEFAULT FALSE, label VARCHAR, disallow_settings_visible_updates INTEGER NOT NULL DEFAULT 0)R,last_visited INTEGER DEFAULT 0, created_from_play_api INTEGER DEFAULT 0);
Source: 6k0OzpAvOhwWLogin Data.0.dr, zB0jb1wxK8VALogin Data For Account.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: j1zkOQTx4q.exe	ReversingLabs: Detection: 47%
Source: j1zkOQTx4q.exe	Virustotal: Detection: 14%

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

File read: C:\Users\user\Desktop\j1zkOQTx4q.exe

Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: j1zkOQTx4q.exe

Static file information: File size 8976008 > 1048576

Source: j1zkOQTx4q.exe

Static PE information: Raw size of .MPRESS1 is bigger than: 0x100000 < 0x869a00

Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\amd64\driver\wireguard.pdbGCTL source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\arm64\driver\wireguard.pdbGCTL source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2892096341.0000000000699000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\arm64\driver\wireguard.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\amd64\driver\wireguard.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\Jason A. Donenfeld\Projects\wireguard-nt\Release\arm64\setupapihost.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Unpacked PE file: 0.2.j1zkOQTx4q.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .MPRESS2

PE file contains sections with non-standard names

Source: j1zkOQTx4q.exe	Static PE information: section name: .MPRESS1
Source: j1zkOQTx4q.exe	Static PE information: section name: .MPRESS2

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Window searched: window name: RegmonClass	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Window / User API: threadDelayed 491

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe TID: 6908	Thread sleep count: 52 > 30	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe TID: 6908	Thread sleep count: 491 > 30	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe TID: 6908	Thread sleep time: -49591s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe TID: 7028	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe TID: 6908	Thread sleep count: 31 > 30	Jump to behavior

Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: j1zkOQTx4q.exe, 00000000.00000003.1690726517.0000000001787000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b};O
Source: j1zkOQTx4q.exe, 00000000.00000003.1665895243.0000000001710000.00000004.00001000.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.1665980539.0000000001710000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlp.exeSDT\VBOX__
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.000000000177F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: j1zkOQTx4q.exe, 00000000.00000003.1690726517.0000000001787000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWQi
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.000000000645E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}xsegments_url_id
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001770000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: j1zkOQTx4q.exe, 00000000.00000003.1666222697.0000000001710000.00000004.00001000.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.1666299396.0000000001710000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeSDT\VBOX__
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006463000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&0000
Source: j1zkOQTx4q.exe, 00000000.00000003.1666141703.0000000001710000.00000004.00001000.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.1666375447.0000000001710000.00000004.00001000.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.1666065568.0000000001710000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlm.exeSDT\VBOX__

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Process queried: DebugObjectHandle	Jump to behavior

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 0.2.j1zkOQTx4q.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2895460297.0000000006420000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2889823463.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: j1zkOQTx4q.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jTkI2DeqFXDxQHXHJ7lSt1A.zip, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Yara detected Credential Stealer

Source: Yara match

File source: Process Memory Space: j1zkOQTx4q.exe PID: 6884, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 0.2.j1zkOQTx4q.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2895460297.0000000006420000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2889823463.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: j1zkOQTx4q.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jTkI2DeqFXDxQHXHJ7lSt1A.zip, type: DROPPED

ID:	1431969
Product:	CloudBasic
Start time:	05:43:06
Start date:	26.04.2024
Sample:	j1zkOQTx4q.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	c49a9a589af8da0d09c69670b2579ab9
SHA1:	51a936428711d9bd1307ffd3e75436a0e4568eb2
SHA256:	a411f79466c5b91feae82cddf2cff3cd20130cec9955bf5003f0ce1febd5143f
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\adobe25HiBSyPbReV\Cookies\Chrome_Default.txt	ASCII text, with very long lines (769), with CRLF line terminators	ACB5AD34236C58F9F7D219FB628E3B58	02E39404CA22F1368C46A7B8398F5F6001DB8F5C	05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
C:\Users\user\AppData\Local\Temp\adobe25HiBSyPbReV\History\Firefox_fqs92o4p.default-release.txt	ASCII text, with CRLF line terminators	978B9515D3688A43726604AC169DF379	D61293AB99332FC45CAE37D78AB17A5DA5BCD189	CDEF3FB1CE312E4B67DC5F1B1F9FB551241C08564FDB26AFA4CBF448BB02EA65
C:\Users\user\AppData\Local\Temp\adobe25HiBSyPbReV\information.txt	ASCII text, with CRLF, LF line terminators	EEC1A77719D436F66D0998A3260B4C67	24E2C3E4B1F620A0A7B7B8658E5173BDA0B745B0	29297826AD054DDF694688A72FC9F82D229ACCD0F2B50286AA7739C85DB767EC
C:\Users\user\AppData\Local\Temp\adobe25HiBSyPbReV\passwords.txt	Unicode text, UTF-8 text, with CRLF, LF line terminators	B3E9D0E1B8207AA74CB8812BAAF52EAE	A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B	4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
C:\Users\user\AppData\Local\Temp\adobe25HiBSyPbReV\screenshot.png	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced	CC52C219B468F648780DC981933A8A8E	40995F3A9B2D69DC84DC59DD64E31E468420BAAC	3754D5183ED1BF2D677D8C2AF790E15DAF8536C4C07B98EEE4B562B197E82CB5
C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\02zdBXl47cvzcookies.sqlite	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3	369B6DD66F1CAD49D0952C40FEB9AD41	D05B2DE29433FB113EC4C558FF33087ED7481DD4	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\3b6N2Xdh3CYwplaces.sqlite	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	C0FDF21AE11A6D1FA1201D502614B622	11724034A1CC915B061316A96E79E9DA6A00ADE8	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\44JkKLWCBNJ9History	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4	6A6BAD38068B0F6F2CADC6464C4FE8F0	4E3B235898D8E900548613DDB6EA59CDA5EB4E68	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\4SpdqMeYgXg6Web Data	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	28591AA4E12D1C4FC761BE7C0A468622	BC4968A84C19377D05A8BB3F208FBFAC49F4820B	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\6D9jUVJ0_DSUWeb Data	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\6k0OzpAvOhwWLogin Data	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\B0tQxZcgttPJWeb Data	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	28591AA4E12D1C4FC761BE7C0A468622	BC4968A84C19377D05A8BB3F208FBFAC49F4820B	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\D4TGfpPH4IPOWeb Data	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\D87fZN3R3jFeplaces.sqlite	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2	C0FDF21AE11A6D1FA1201D502614B622	11724034A1CC915B061316A96E79E9DA6A00ADE8	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\Dh4UFB9VlaROHistory	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4	6A6BAD38068B0F6F2CADC6464C4FE8F0	4E3B235898D8E900548613DDB6EA59CDA5EB4E68	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\Dsx8sDItJfv3Login Data	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1	349E6EB110E34A08924D92F6B334801D	BDFB289DAFF51890CC71697B6322AA4B35EC9169	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\Zu2ikoLeiECZWeb Data	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2	780853CDDEAEE8DE70F28A4B255A600B	AD7A5DA33F7AD12946153C497E990720B09005ED	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\cIlG5Y0qTb9_History	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2	A2D1F4CF66465F9F0CAC61C4A95C7EDE	BA6A845E247B221AAEC96C4213E1FD3744B10A27	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\iYfCU4QVZjt3Web Data	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3	28591AA4E12D1C4FC761BE7C0A468622	BC4968A84C19377D05A8BB3F208FBFAC49F4820B	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\xvIioM0C1FXzHistory	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2	A2D1F4CF66465F9F0CAC61C4A95C7EDE	BA6A845E247B221AAEC96C4213E1FD3744B10A27	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\zB0jb1wxK8VALogin Data For Account	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1	28222628A3465C5F0D4B28F70F97F482	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\zHsmPskqoA3oCookies	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11	41EA9A4112F057AE6BA17E2838AEAC26	F2B389103BFD1A1A050C4857A995B09FEAFE8903	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
C:\Users\user\AppData\Local\Temp\jTkI2DeqFXDxQHXHJ7lSt1A.zip	Zip archive data, at least v2.0 to extract, compression method=deflate	B0D99B74DFEEF52E9DE4B9AC150B7AF0	C49B35D4A0443ADC597F98A70D4F78346FEC3570	3FDEB61743844FB1438050E72C627DE1D96D03707EE4286F782E331477D25CB7

Windows Analysis Report
j1zkOQTx4q.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report j1zkOQTx4q.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
j1zkOQTx4q.exe