Edit tour

Windows Analysis Report
j1zkOQTx4q.exe

Overview

General Information

Sample name:	j1zkOQTx4q.exe renamed because original name is a hash value
Original sample name:	c49a9a589af8da0d09c69670b2579ab9.exe
Analysis ID:	1431969
MD5:	c49a9a589af8da0d09c69670b2579ab9
SHA1:	51a936428711d9bd1307ffd3e75436a0e4568eb2
SHA256:	a411f79466c5b91feae82cddf2cff3cd20130cec9955bf5003f0ce1febd5143f
Tags:	32exe
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

Hides threads from debuggers

Query firmware table information (likely to detect VMs)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Detected TCP or UDP traffic on non-standard ports

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

j1zkOQTx4q.exe (PID: 6884 cmdline: "C:\Users\user\Desktop\j1zkOQTx4q.exe" MD5: C49A9A589AF8DA0D09C69670B2579AB9)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\jTkI2DeqFXDxQHXHJ7lSt1A.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2895460297.0000000006420000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000003.2889823463.0000000001A21000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: j1zkOQTx4q.exe PID: 6884	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: j1zkOQTx4q.exe PID: 6884	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.j1zkOQTx4q.exe.400000.0.unpack	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 193.233.132.226 - Destination IP: 192.168.2.4

Timestamp:	04/26/24-05:44:00.242345
SID:	2046266
Source Port:	50500
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Get_settings) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.226

Timestamp:	04/26/24-05:44:55.687467
SID:	2046268
Source Port:	49732
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 193.233.132.226

Timestamp:	04/26/24-05:43:59.949956
SID:	2049060
Source Port:	49732
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.226

Timestamp:	04/26/24-05:45:36.095343
SID:	2046269
Source Port:	49732
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 193.233.132.226 - Destination IP: 192.168.2.4

Timestamp:	04/26/24-05:44:53.704210
SID:	2046267
Source Port:	50500
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://193.233.132.253/lumma2104.exe	Avira URL Cloud: Label: malware
Source: http://5.42.66.10/download/th/Retailer_prog.exe	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: http://193.233.132.253/lumma2104.exe	Virustotal: Detection: 22%			Perma Link
Source: http://5.42.66.10/download/th/Retailer_prog.exe	Virustotal: Detection: 23%			Perma Link

Multi AV Scanner detection for submitted file

Source: j1zkOQTx4q.exe	ReversingLabs: Detection: 47%
Source: j1zkOQTx4q.exe	Virustotal: Detection: 14%			Perma Link

Source: j1zkOQTx4q.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49741 version: TLS 1.2

Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\amd64\driver\wireguard.pdbGCTL source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\arm64\driver\wireguard.pdbGCTL source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2892096341.0000000000699000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\arm64\driver\wireguard.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\amd64\driver\wireguard.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\Jason A. Donenfeld\Projects\wireguard-nt\Release\arm64\setupapihost.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49732 -> 193.233.132.226:50500
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.226:50500 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.4:49732 -> 193.233.132.226:50500
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 193.233.132.226:50500 -> 192.168.2.4:49732
Source: Traffic	Snort IDS: 2046268 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Get_settings) 192.168.2.4:49732 -> 193.233.132.226:50500

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 193.233.132.226:50500

Source: Joe Sandbox View	IP Address: 5.42.66.10 5.42.66.10
Source: Joe Sandbox View	IP Address: 5.42.66.10 5.42.66.10
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 193.233.132.226 193.233.132.226

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /widget/demo/102.129.152.220 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.129.152.220 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.66.10
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.226

Source: global traffic	HTTP traffic detected: GET /widget/demo/102.129.152.220 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.129.152.220 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.253/lumma2104.exe
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006484000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2891814780.000000000016F000.00000004.00000010.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006463000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/Retailer_prog.exe
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006484000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/Retailer_prog.exe(
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006463000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/Retailer_prog.exe845-4e4c-bd18-02b67a
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: j1zkOQTx4q.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: j1zkOQTx4q.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0H
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0I
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: j1zkOQTx4q.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: j1zkOQTx4q.exe, 00000000.00000002.2891954895.0000000000515000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: j1zkOQTx4q.exe, 00000000.00000002.2891954895.0000000000515000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=102.129.152.220
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=102.129.152.220e
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=102.129.152.220
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.000000000176A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.000000000179A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: j1zkOQTx4q.exe, 00000000.00000002.2891954895.0000000000515000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.000000000179A000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/102.129.152.220
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.000000000179A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/102.129.152.220
Source: j1zkOQTx4q.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: j1zkOQTx4q.exe, 00000000.00000003.2881418203.000000000648F000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2879892603.0000000006473000.00000004.00000020.00020000.00000000.sdmp, Dh4UFB9VlaROHistory.0.dr, 44JkKLWCBNJ9History.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Dh4UFB9VlaROHistory.0.dr, 44JkKLWCBNJ9History.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: j1zkOQTx4q.exe, 00000000.00000003.2881418203.000000000648F000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2879892603.0000000006473000.00000004.00000020.00020000.00000000.sdmp, Dh4UFB9VlaROHistory.0.dr, 44JkKLWCBNJ9History.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Dh4UFB9VlaROHistory.0.dr, 44JkKLWCBNJ9History.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006420000.00000004.00000020.00020000.00000000.sdmp, jTkI2DeqFXDxQHXHJ7lSt1A.zip.0.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2885919526.00000000064D7000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017FF000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr	String found in binary or memory: https://t.me/risepro_bot
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006420000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001727000.00000004.00000020.00020000.00000000.sdmp, Firefox_fqs92o4p.default-release.txt.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001727000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/;Q
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.000000000644B000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006420000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001770000.00000004.00000020.00020000.00000000.sdmp, Firefox_fqs92o4p.default-release.txt.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.000000000644B000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/tes_1;
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/txt
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.wireguard.com/
Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://www.wireguard.com/D

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown	Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49740 -> 443

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49740 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.4:49741 version: TLS 1.2

Source: j1zkOQTx4q.exe

Static PE information: invalid certificate

Source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamewireguard.sysB vs j1zkOQTx4q.exe

Source: j1zkOQTx4q.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/23@2/4

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite

Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

File created: C:\Users\user\AppData\Local\Temp\adobe25HiBSyPbReV

Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: j1zkOQTx4q.exe, 00000000.00000002.2891954895.0000000000515000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: j1zkOQTx4q.exe, 00000000.00000002.2891954895.0000000000515000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: j1zkOQTx4q.exe, 00000000.00000003.2883776118.0000000006463000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006463000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE autofill_profiles ( guid VARCHAR PRIMARY KEY, company_name VARCHAR, street_address VARCHAR, dependent_locality VARCHAR, city VARCHAR, state VARCHAR, zipcode VARCHAR, sorting_code VARCHAR, country_code VARCHAR, date_modified INTEGER NOT NULL DEFAULT 0, origin VARCHAR DEFAULT '', language_code VARCHAR, use_count INTEGER NOT NULL DEFAULT 0, use_date INTEGER NOT NULL DEFAULT 0, validity_bitfield UNSIGNED NOT NULL DEFAULT 0, is_client_validity_states_updated BOOL NOT NULL DEFAULT FALSE, label VARCHAR, disallow_settings_visible_updates INTEGER NOT NULL DEFAULT 0)R,last_visited INTEGER DEFAULT 0, created_from_play_api INTEGER DEFAULT 0);
Source: 6k0OzpAvOhwWLogin Data.0.dr, zB0jb1wxK8VALogin Data For Account.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: j1zkOQTx4q.exe	ReversingLabs: Detection: 47%
Source: j1zkOQTx4q.exe	Virustotal: Detection: 14%

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

File read: C:\Users\user\Desktop\j1zkOQTx4q.exe

Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: j1zkOQTx4q.exe

Static file information: File size 8976008 > 1048576

Source: j1zkOQTx4q.exe

Static PE information: Raw size of .MPRESS1 is bigger than: 0x100000 < 0x869a00

Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\amd64\driver\wireguard.pdbGCTL source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\arm64\driver\wireguard.pdbGCTL source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2892096341.0000000000699000.00000040.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\arm64\driver\wireguard.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: D:\nt-driver-builder\wireguard-nt-0.10\Release\amd64\driver\wireguard.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp
Source:	Binary string: C:\Users\Jason A. Donenfeld\Projects\wireguard-nt\Release\arm64\setupapihost.pdb source: j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Unpacked PE file: 0.2.j1zkOQTx4q.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

Source: initial sample

Static PE information: section where entry point is pointing to: .MPRESS2

Source: j1zkOQTx4q.exe	Static PE information: section name: .MPRESS1
Source: j1zkOQTx4q.exe	Static PE information: section name: .MPRESS2

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Window searched: window name: RegmonClass	Jump to behavior

Malware Analysis System Evasion

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

System information queried: FirmwareTableInformation

Jump to behavior

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Window / User API: threadDelayed 491

Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe TID: 6908	Thread sleep count: 52 > 30	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe TID: 6908	Thread sleep count: 491 > 30	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe TID: 6908	Thread sleep time: -49591s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe TID: 7028	Thread sleep count: 32 > 30	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe TID: 6908	Thread sleep count: 31 > 30	Jump to behavior

Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001720000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: j1zkOQTx4q.exe, 00000000.00000003.1690726517.0000000001787000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b};O
Source: j1zkOQTx4q.exe, 00000000.00000003.1665895243.0000000001710000.00000004.00001000.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.1665980539.0000000001710000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlp.exeSDT\VBOX__
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.000000000177F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: j1zkOQTx4q.exe, 00000000.00000003.1690726517.0000000001787000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWQi
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.000000000645E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}xsegments_url_id
Source: j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.0000000001770000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: j1zkOQTx4q.exe, 00000000.00000003.1666222697.0000000001710000.00000004.00001000.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.1666299396.0000000001710000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeSDT\VBOX__
Source: j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006463000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&0000
Source: j1zkOQTx4q.exe, 00000000.00000003.1666141703.0000000001710000.00000004.00001000.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.1666375447.0000000001710000.00000004.00001000.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.1666065568.0000000001710000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: \SystemRoot\system32\ntkrnlm.exeSDT\VBOX__

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Process queried: DebugObjectHandle	Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 0.2.j1zkOQTx4q.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2895460297.0000000006420000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2889823463.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: j1zkOQTx4q.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jTkI2DeqFXDxQHXHJ7lSt1A.zip, type: DROPPED

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\j1zkOQTx4q.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match

File source: Process Memory Space: j1zkOQTx4q.exe PID: 6884, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 0.2.j1zkOQTx4q.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2895460297.0000000006420000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2889823463.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: j1zkOQTx4q.exe PID: 6884, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\jTkI2DeqFXDxQHXHJ7lSt1A.zip, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	1 OS Credential Dumping	521 Security Software Discovery	Remote Services	1 Email Collection	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	33 Virtualization/Sandbox Evasion	LSASS Memory	33 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Data from Local System	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Software Packing	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	24 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
j1zkOQTx4q.exe	48%	ReversingLabs	Win32.Trojan.Znyonm
j1zkOQTx4q.exe	15%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://5.42.66.10/download/th/Retailer_prog.exe845-4e4c-bd18-02b67a	0%	Avira URL Cloud	safe
https://www.wireguard.com/D	0%	Avira URL Cloud	safe
http://193.233.132.253/lumma2104.exe	100%	Avira URL Cloud	malware
https://www.wireguard.com/	0%	Avira URL Cloud	safe
http://5.42.66.10/download/th/Retailer_prog.exe(	0%	Avira URL Cloud	safe
http://5.42.66.10/download/th/Retailer_prog.exe	100%	Avira URL Cloud	malware
https://www.wireguard.com/	0%	Virustotal		Browse
https://www.wireguard.com/D	1%	Virustotal		Browse
http://193.233.132.253/lumma2104.exe	23%	Virustotal		Browse
http://5.42.66.10/download/th/Retailer_prog.exe	24%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.186.192	true	false		high
db-ip.com	172.67.75.166	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/widget/demo/102.129.152.220	false		high
https://db-ip.com/demo/home.php?s=102.129.152.220	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.wireguard.com/	j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://duckduckgo.com/chrome_newtab	j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	D87fZN3R3jFeplaces.sqlite.0.dr	false		high
https://duckduckgo.com/ac/?q=	j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	false		high
https://sectigo.com/CPS0	j1zkOQTx4q.exe	false	URL Reputation: safe URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	false		high
http://ocsp.sectigo.com0	j1zkOQTx4q.exe	false	URL Reputation: safe	unknown
https://db-ip.com/demo/home.php?s=102.129.152.220e	j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.wireguard.com/D	j1zkOQTx4q.exe, 00000000.00000002.2893126435.000000000152F000.00000002.00000001.01000000.00000003.sdmp	false	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://db-ip.com/	j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	j1zkOQTx4q.exe, 00000000.00000002.2891954895.0000000000515000.00000002.00000001.01000000.00000003.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	false		high
https://t.me/RiseProSUPPORT	j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006420000.00000004.00000020.00020000.00000000.sdmp, jTkI2DeqFXDxQHXHJ7lSt1A.zip.0.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	j1zkOQTx4q.exe, 00000000.00000003.2881418203.000000000648F000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2879892603.0000000006473000.00000004.00000020.00020000.00000000.sdmp, Dh4UFB9VlaROHistory.0.dr, 44JkKLWCBNJ9History.0.dr	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	j1zkOQTx4q.exe, 00000000.00000003.2881418203.000000000648F000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2879892603.0000000006473000.00000004.00000020.00020000.00000000.sdmp, Dh4UFB9VlaROHistory.0.dr, 44JkKLWCBNJ9History.0.dr	false		high
https://www.ecosia.org/newtab/	j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	false		high
https://ipinfo.io/Mozilla/5.0	j1zkOQTx4q.exe, 00000000.00000002.2893328950.000000000179A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	D87fZN3R3jFeplaces.sqlite.0.dr	false		high
https://ac.ecosia.org/autocomplete?q=	j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	j1zkOQTx4q.exe	false	URL Reputation: safe	unknown
https://t.me/risepro_bot	j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2885919526.00000000064D7000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017FF000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr	false		high
https://ipinfo.io:443/widget/demo/102.129.152.220	j1zkOQTx4q.exe, 00000000.00000002.2893328950.000000000179A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://5.42.66.10/download/th/Retailer_prog.exe845-4e4c-bd18-02b67a	j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006463000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://db-ip.com:443/demo/home.php?s=102.129.152.220	j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	false		high
http://5.42.66.10/download/th/Retailer_prog.exe(	j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006484000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/	j1zkOQTx4q.exe, 00000000.00000002.2893328950.000000000176A000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	j1zkOQTx4q.exe	false	URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Dh4UFB9VlaROHistory.0.dr, 44JkKLWCBNJ9History.0.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	false		high
http://193.233.132.253/lumma2104.exe	j1zkOQTx4q.exe, 00000000.00000002.2893328950.00000000017A6000.00000004.00000020.00020000.00000000.sdmp	false	23%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://5.42.66.10/download/th/Retailer_prog.exe	j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006484000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2891814780.000000000016F000.00000004.00000010.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000002.2895460297.0000000006463000.00000004.00000020.00020000.00000000.sdmp	false	24%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://www.winimage.com/zLibDll	j1zkOQTx4q.exe, 00000000.00000002.2891954895.0000000000515000.00000002.00000001.01000000.00000003.sdmp	false		high
https://support.mozilla.org	D87fZN3R3jFeplaces.sqlite.0.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Dh4UFB9VlaROHistory.0.dr, 44JkKLWCBNJ9History.0.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	j1zkOQTx4q.exe, 00000000.00000003.2880279507.0000000006494000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2881720930.00000000064A0000.00000004.00000020.00020000.00000000.sdmp, j1zkOQTx4q.exe, 00000000.00000003.2880002087.0000000006466000.00000004.00000020.00020000.00000000.sdmp, B0tQxZcgttPJWeb Data.0.dr, iYfCU4QVZjt3Web Data.0.dr, 4SpdqMeYgXg6Web Data.0.dr	false		high
http://www.winimage.com/zLibDllDpRTpR	j1zkOQTx4q.exe, 00000000.00000002.2891954895.0000000000515000.00000002.00000001.01000000.00000003.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
5.42.66.10	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	false
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
193.233.132.226	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	true
172.67.75.166	db-ip.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1431969
Start date and time:	2024-04-26 05:43:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	j1zkOQTx4q.exe renamed because original name is a hash value
Original Sample Name:	c49a9a589af8da0d09c69670b2579ab9.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/23@2/4
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:44:34	API Interceptor	229x Sleep call for process: j1zkOQTx4q.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
5.42.66.10	SecuriteInfo.com.Trojan.Siggen28.25504.27914.23637.exe	Get hash	malicious	Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse	5.42.66.10/api/flash.php
	80OrFCsz0u.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	5.42.66.10/api/flash.php
	SecuriteInfo.com.Win64.Evo-gen.28136.30716.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	5.42.66.10/download/th/Retailer_prog.exe
	5NlNJIHhTf.exe	Get hash	malicious	Unknown	Browse	5.42.66.10/download/th/getimage15.php
	file.exe	Get hash	malicious	Unknown	Browse	5.42.66.10/api/flash.php
34.117.186.192	SecuriteInfo.com.Win32.Evo-gen.24318.16217.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win32.Evo-gen.28489.31883.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Raptor.HardwareService.Setup 1.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	w.sh	Get hash	malicious	Xmrig	Browse	/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	uUsgzQ3DoW.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
	8BZBgbeCcz.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
193.233.132.226	SajWKdHxdF.exe	Get hash	malicious	RisePro Stealer	Browse
	SajWKdHxdF.exe	Get hash	malicious	RisePro Stealer	Browse
	qk9TaBBxh8.exe	Get hash	malicious	LummaC, Glupteba, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	SecuriteInfo.com.Win64.Evo-gen.32634.31069.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	SecuriteInfo.com.Trojan.Siggen28.25504.27914.23637.exe	Get hash	malicious	Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, SmokeLoader	Browse
	80OrFCsz0u.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	SecuriteInfo.com.Win64.Evo-gen.28136.30716.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	file.exe	Get hash	malicious	LummaC, PureLog Stealer, RisePro Stealer	Browse
	SecuriteInfo.com.FileRepMalware.17769.21135.exe	Get hash	malicious	RisePro Stealer	Browse
	SecuriteInfo.com.FileRepMalware.17769.21135.exe	Get hash	malicious	RisePro Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	PureLog Stealer, RisePro Stealer, zgRAT	Browse	34.117.186.192
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	34.117.186.192
	http://crunchersflowdigital.com	Get hash	malicious	Unknown	Browse	34.117.186.192
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	TeaiGames.exe	Get hash	malicious	NovaSentinel	Browse	34.117.186.192
	ShadowFury.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	ShadowFury.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	SOLkM5sa4R.exe	Get hash	malicious	Phemedrone Stealer	Browse	34.117.186.192
db-ip.com	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	file.exe	Get hash	malicious	PureLog Stealer, RisePro Stealer, zgRAT	Browse	172.67.75.166
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	104.26.5.15
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	104.26.5.15
	file.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	ygm2mXUReY.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	file.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	104.26.5.15
	2q45IEa3Ee.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	104.26.5.15
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	104.26.4.15

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	f6FauZ2CEz.exe	Get hash	malicious	RedLine	Browse	5.42.92.179
	file.exe	Get hash	malicious	PureLog Stealer, RisePro Stealer, zgRAT	Browse	45.15.156.9
	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.96
	file.exe	Get hash	malicious	Unknown	Browse	5.42.66.10
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	5.42.66.10
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse	5.42.66.10
	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.96
	c3nBx2HQG2.exe	Get hash	malicious	Glupteba, Mars Stealer, Phorpiex, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	5.42.66.10
	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.96
	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.50
FREE-NET-ASFREEnetEU	file.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	193.233.132.175
	uqGHhft2DO.elf	Get hash	malicious	Mirai	Browse	147.45.234.222
	file.exe	Get hash	malicious	RedLine	Browse	193.233.132.169
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	193.233.132.175
	957C4XK6Lt.exe	Get hash	malicious	Phorpiex	Browse	193.233.132.177
	file.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.47
	file.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.47
	file.exe	Get hash	malicious	RisePro Stealer	Browse	147.45.47.93
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	193.233.132.234
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	http://www.vacationscenter.mx	Get hash	malicious	Unknown	Browse	34.117.118.44
	https://url.us.m.mimecastprotect.com/s/qkT5Cv2pWyUOjZODty9fnF?domain=google.com	Get hash	malicious	Unknown	Browse	34.117.250.57
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	PureLog Stealer, RisePro Stealer, zgRAT	Browse	34.117.186.192
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	34.117.186.192
	0ar3q66pGv.elf	Get hash	malicious	Mirai	Browse	34.116.69.95
	http://94.156.79.129/x86_64	Get hash	malicious	Unknown	Browse	34.117.121.53
	http://94.156.79.129/i686	Get hash	malicious	Unknown	Browse	34.117.121.53
	http://crunchersflowdigital.com	Get hash	malicious	Unknown	Browse	34.117.186.192
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	34.117.186.192
CLOUDFLARENETUS	VoGtelkHSn.exe	Get hash	malicious	LummaC	Browse	172.67.163.209
	yX8787W7de.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	104.21.16.102
	https://cdp1.tracking.e360.salesforce.com/click?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJ0ZW5hbnRfaWQiOiJhMzYwL3Byb2QvNTBhMGYyODg2ZTg4NDA3Y2I1ODUwYmRjOWQwZGIxZTUiLCJjcmVhdGlvbl90aW1lIjoxNzE0MDg4MzE4LCJtZXNzYWdlX2lkIjoiMGd4dnAwdGZzeWpiNm4yamRiMDRuYWd5IzcyNWE1YTc5LTgxYzQtNGM0Yy1iNmI1LTdmMTY0MTM2ZTE2NCIsImNoYW5uZWxfdHlwZSI6ImVtYWlsIiwiZXhwIjoxNzQ1NjI0MzE4LCJyZWRpcmVjdF91cmwiOiJodHRwczovL3ZtLmJyYWRlbnRvbmNjLmluZm8vP2VvdmlldWJyJnFyYz1yZW5lZS5zY2h3YXJ0ekBxci5jb20uYXUiLCJpbmRpdmlkdWFsX2lkIjoiODdiZTY3MTdlZjJmMThjYzI3YmMyMWQ4OTJhY2Q2NzAifQ.iusDS7mld4iiq9DDY82R1MJ9ToHxmMDW3SMbDENZOZQ	Get hash	malicious	HTMLPhisher	Browse	1.1.1.1
	Payment Swift.doc	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://marinatitle.com	Get hash	malicious	Unknown	Browse	104.17.24.14
	ad.msi	Get hash	malicious	Latrodectus	Browse	172.67.219.28
	https://ndw5xvotehflt.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	104.21.53.38
	https://cnmxukx5efilc7lvlel.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	172.66.44.161
	https://m7qfa5ng4lp7.blob.core.windows.net/m7qfa5ng4lp7/1.html?4rKpnF7821CfLO43wsacrvmomp962ETPJQJTKIDNZNNV65316UFUY14332V14#14/43-7821/962-65316-14332	Get hash	malicious	Phisher	Browse	104.18.26.50
	https://bocmyw606y.pages.dev/smart89/	Get hash	malicious	Unknown	Browse	172.66.44.172

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	VoGtelkHSn.exe	Get hash	malicious	LummaC	Browse	34.117.186.192 172.67.75.166
	SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.32374.20351.xlsx	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192 172.67.75.166
	file.exe	Get hash	malicious	PureLog Stealer, RisePro Stealer, zgRAT	Browse	34.117.186.192 172.67.75.166
	SecuriteInfo.com.Win32.Evo-gen.19638.13648.exe	Get hash	malicious	DBatLoader	Browse	34.117.186.192 172.67.75.166
	file.exe	Get hash	malicious	LummaC	Browse	34.117.186.192 172.67.75.166
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	34.117.186.192 172.67.75.166
	file.exe	Get hash	malicious	LummaC	Browse	34.117.186.192 172.67.75.166
	Iu4csQ2rwX.msi	Get hash	malicious	AsyncRAT	Browse	34.117.186.192 172.67.75.166
	o7b91j8vnJ.exe	Get hash	malicious	LummaC	Browse	34.117.186.192 172.67.75.166

Dropped Files

⊘No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\adobe25HiBSyPbReV\Cookies\Chrome_Default.txt

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	ASCII text, with very long lines (769), with CRLF line terminators
Category:	dropped
Size (bytes):	6085
Entropy (8bit):	6.038274200863744
Encrypted:	false
SSDEEP:	96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
MD5:	ACB5AD34236C58F9F7D219FB628E3B58
SHA1:	02E39404CA22F1368C46A7B8398F5F6001DB8F5C
SHA-256:	05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
SHA-512:	5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	.google.com.TRUE./.TRUE.1712145003.NID.ENC893_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

C:\Users\user\AppData\Local\Temp\adobe25HiBSyPbReV\History\Firefox_fqs92o4p.default-release.txt

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	112
Entropy (8bit):	4.911305722693245
Encrypted:	false
SSDEEP:	3:N8DSLvIJiMgTE2WdkQUl7R8DSLvIJiMhKVX3L2WdkQUlv:2OLciodq7R8OLciA8dqv
MD5:	978B9515D3688A43726604AC169DF379
SHA1:	D61293AB99332FC45CAE37D78AB17A5DA5BCD189
SHA-256:	CDEF3FB1CE312E4B67DC5F1B1F9FB551241C08564FDB26AFA4CBF448BB02EA65
SHA-512:	86146AA576129B73743B1EBC0BC60880FDA58A11498048B3C68284C4520F1ADC324D016696B0E995A51AC56966E0F38B0AF12458A986868701C6AAAA89C829CB
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	https://www.mozilla.org/privacy/firefox/.1696333827..https://www.mozilla.org/en-US/privacy/firefox/.1696333827..

C:\Users\user\AppData\Local\Temp\adobe25HiBSyPbReV\information.txt

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	5180
Entropy (8bit):	5.394901547020423
Encrypted:	false
SSDEEP:	96:xz11U5RnecT4Aisph892bXr/sgcANUbg3x:xJ6BevAtphw2bXrTlB
MD5:	EEC1A77719D436F66D0998A3260B4C67
SHA1:	24E2C3E4B1F620A0A7B7B8658E5173BDA0B745B0
SHA-256:	29297826AD054DDF694688A72FC9F82D229ACCD0F2B50286AA7739C85DB767EC
SHA-512:	2882C229FE058F13F7AE223F95AD625DE6B876DD1A56F57117BDE9A60A3605ABCA19C09F014C0E1138B6D2ECEB648E2193A52EB47D3CA40D6E41FB95AD31F48D
Malicious:	false
Reputation:	low
Preview:	Build: default..Version: 1.9....Date: Fri Apr 26 05:46:05 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 06eebc0e7d0fba550221581a6c41ae67....Path: C:\Users\user\Desktop\j1zkOQTx4q.exe..Work Dir: C:\Users\user\AppData\Local\Temp\adobe25HiBSyPbReV....IP: 102.129.152.220..Location: US, Miami..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 065367 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 26/4/2024 5:46:5..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe [78

C:\Users\user\AppData\Local\Temp\adobe25HiBSyPbReV\passwords.txt

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	Unicode text, UTF-8 text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	4897
Entropy (8bit):	2.518316437186352
Encrypted:	false
SSDEEP:	48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
MD5:	B3E9D0E1B8207AA74CB8812BAAF52EAE
SHA1:	A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
SHA-256:	4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
SHA-512:	B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\adobe25HiBSyPbReV\screenshot.png

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	696835
Entropy (8bit):	7.924625803057396
Encrypted:	false
SSDEEP:	12288:dU+YN/zsDAL0YlKCsI4jx/NmR/xfJBQERNF4EYS/zLAGFQ/4n/KzoIu7fKszcOI:dG5z6AL0cP3WlU/xBBx9tB4HyCEIU5HI
MD5:	CC52C219B468F648780DC981933A8A8E
SHA1:	40995F3A9B2D69DC84DC59DD64E31E468420BAAC
SHA-256:	3754D5183ED1BF2D677D8C2AF790E15DAF8536C4C07B98EEE4B562B197E82CB5
SHA-512:	CDF43590290A47783CB48881AC79AA70C1DE06953C270E1C12CF1C096907DD70A20DA867270D4D35F7E5A3B14792EE05D04F1B39818F220C51FA5E7A2B27E6E6
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w.mU....v..I.s.w..XU......X...ZQe..Rr...d.`.....lD%H.1.XGK).$.U6.$... ...c......ko.[{Z...o.c......>F.s./...l...C.;%...O{..tO..:'.{X`.t.4:.....N.y/..C....&.\|..L.?M.........Wl.h.q.~ant>..91ulL.sO...yb..Y..HL.-..H........=.#.....5...k...4.C....CfO....L...?..S.yx~9....c1U....s....[.}.j........2.1..@..i.Y..#..L}.........5.?........<.E.S........E.S.Mys.....,z.`..'.Wj..u.@..3f..wd...fj..{ ...wf....+........"c.m.N.[Z........]us....j.[n....e....93..rK...a.P..%)O0f..>7V.7'...Z..S\|Q.k.T._.w..}R<...i......h<...ml..o......j.....K.=......{]_-yS..3..b.t....v....zM.....'..M..RLcA>.=o....e.]B,...%/.;;].../J.tw....J.-!..w..Z.k.....NWe.;^...qC.l..o.{...]....;\Yu.."..vL......./..;\...........%.\.Y.s.n....c~Y..K.._.....X..;...K{n.Y.10...).].O.?..%.E.^...=..h..3e...m.[..oui5..%..t.t..b.-.n.}.>,.&.k}.^..].MZ.u...O...Ly._\-."]7..)O.g..[.m..S...w6...nvQ..lza.)W..Z..z.

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\02zdBXl47cvzcookies.sqlite

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\3b6N2Xdh3CYwplaces.sqlite

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\44JkKLWCBNJ9History

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\4SpdqMeYgXg6Web Data

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\6D9jUVJ0_DSUWeb Data

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\6k0OzpAvOhwWLogin Data

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\B0tQxZcgttPJWeb Data

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\D4TGfpPH4IPOWeb Data

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\D87fZN3R3jFeplaces.sqlite

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\Dh4UFB9VlaROHistory

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\Dsx8sDItJfv3Login Data

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\Zu2ikoLeiECZWeb Data

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\cIlG5Y0qTb9_History

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\iYfCU4QVZjt3Web Data

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\xvIioM0C1FXzHistory

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\zB0jb1wxK8VALogin Data For Account

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\zHsmPskqoA3oCookies

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\jTkI2DeqFXDxQHXHJ7lSt1A.zip

Download File

Process:	C:\Users\user\Desktop\j1zkOQTx4q.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	684325
Entropy (8bit):	7.99770869334907
Encrypted:	true
SSDEEP:	12288:DlyDmq4PXDpxyFGSiFwPNWDu4xRwsz7CZAEpRDjleKmH:D2mq4v1xgGdF8W64wAET9eKmH
MD5:	B0D99B74DFEEF52E9DE4B9AC150B7AF0
SHA1:	C49B35D4A0443ADC597F98A70D4F78346FEC3570
SHA-256:	3FDEB61743844FB1438050E72C627DE1D96D03707EE4286F782E331477D25CB7
SHA-512:	E0E2B63FAB070E8D96F6D34F7829C587B558B3E04EC323D253CEC3BACC5494D67CF10E58A0F64046964E17D3677D464B7FCD9C87DD00C48A3E6A9261DC5E0D47
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\jTkI2DeqFXDxQHXHJ7lSt1A.zip, Author: Joe Security
Preview:	PK.........-.X................Cookies\..PK.........-.XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E..l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3Ap.U5UX....Z.g:e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d\|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O\|.....>K......L...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u\|....v...3.;L..U?..b.....u....... .......F...P.a...\|R3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

Static File Info

General

File type:	MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
Entropy (8bit):	7.997403294188346
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	j1zkOQTx4q.exe
File size:	8'976'008 bytes
MD5:	c49a9a589af8da0d09c69670b2579ab9
SHA1:	51a936428711d9bd1307ffd3e75436a0e4568eb2
SHA256:	a411f79466c5b91feae82cddf2cff3cd20130cec9955bf5003f0ce1febd5143f
SHA512:	4dcd6ca8c62466f18564e2b5b068238769603df2624b9b39d0f11aa7ff643bd09a51a2a16252c31b1b4ad8d0577ab8d8d9d91e93fdfa886121c37801788bd78c
SSDEEP:	196608:aOVNWi1IoE6S5MBjgluihHc4+oueCxQ/sfA84JmQGOVDm2:aOVwim8S5MykihHcYueCxQIA84JfLDm2
TLSH:	2A9633CF2143B631C627D1F65721C64D3A348912BC9436F9300CED69BFAAE76A5E22C5
File Content Preview:	MZ@.....................................!..L.!Win32 .EXE...$@...PE..L......f...............'.4...<........#......P....@...........................%.......................................#.L...L.#.H.....#.P................R.................................

File Icon


Icon Hash:	33eba39b1b08c0a4

Static PE Info

General

Entrypoint:	0x163b394
Entrypoint Section:	.MPRESS2
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x660FE6E7 [Fri Apr 5 11:56:23 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2f93cd80e5dfeca07d7e8b0f35545fb5

Authenticode Signature

Signature Valid:	false
Signature Issuer:	C=WORLD, S=WORLD, L=\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf, OU=SIMENS FINLAND, O=Creted by FINLAND, CN=SIMENS FINLAND
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	24/04/2024 11:45:57 16/06/2027 01:00:00
Subject Chain	C=WORLD, S=WORLD, L=\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf\xf4\xe8~\u2039\xf1\xa9\u2039M\xfc\u2039\xaf, OU=SIMENS FINLAND, O=Creted by FINLAND, CN=SIMENS FINLAND
Version:	3
Thumbprint MD5:	09ABD8180FD9B67AA58F4AF9DE81098C
Thumbprint SHA-1:	F76BD199CE1299A807F0FE9988862B4A9CD66F36
Thumbprint SHA-256:	38481C37EE46CCBDC1A689FF78DD71BCA0A504E9511F7281F257A0060EB488AA
Serial:	46DBEB2987ECF44A9608BDA808CCF164

Entrypoint Preview

Instruction
pushad
call 00007FB620C2D8A5h
pop eax
add eax, 00000B5Ah
mov esi, dword ptr [eax]
add esi, eax
sub eax, eax
mov edi, esi
lodsw
shl eax, 0Ch
mov ecx, eax
push eax
lodsd
sub ecx, eax
add esi, ecx
mov ecx, eax
push edi
push ecx
dec ecx
mov al, byte ptr [ecx+edi+06h]
mov byte ptr [ecx+esi], al
jne 00007FB620C2D898h
sub eax, eax
lodsb
mov ecx, eax
and cl, FFFFFFF0h
and al, 0Fh
shl ecx, 0Ch
mov ch, al
lodsb
or ecx, eax
push ecx
add cl, ch
mov ebp, FFFFFD00h
shl ebp, cl
pop ecx
pop eax
mov ebx, esp
lea esp, dword ptr [esp+ebp*2-00000E70h]
push ecx
sub ecx, ecx
push ecx
push ecx
mov ecx, esp
push ecx
mov dx, word ptr [edi]
shl edx, 0Ch
push edx
push edi
add ecx, 04h
push ecx
push eax
add ecx, 04h
push esi
push ecx
call 00007FB620C2D903h
mov esp, ebx
pop esi
pop edx
sub eax, eax
mov dword ptr [edx+esi], eax
mov ah, 10h
sub edx, eax
sub ecx, ecx
cmp ecx, edx
jnc 00007FB620C2D8C8h
mov ebx, ecx
lodsb
inc ecx
and al, FEh
cmp al, E8h
jne 00007FB620C2D894h
inc ebx
add ecx, 04h
lodsd
or eax, eax
js 00007FB620C2D8A8h
cmp eax, edx
jnc 00007FB620C2D887h
jmp 00007FB620C2D8A8h
add eax, ebx
js 00007FB620C2D881h
add eax, edx
sub eax, ebx
mov dword ptr [esi-04h], eax
jmp 00007FB620C2D878h
call 00007FB620C2D8A5h
pop edi
add edi, FFFFFF4Dh
mov al, E9h
stosb
mov eax, 00000B56h
stosd
call 00007FB620C2D8A5h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x123b000	0x4c	.MPRESS2
IMAGE_DIRECTORY_ENTRY_IMPORT	0x123b04c	0x348	.MPRESS2
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x123c000	0x1f650	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x88a400	0x5288	.MPRESS1
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x123bf00	0x18	.MPRESS2
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x123b178	0x68	.MPRESS2
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0xd2b498	0x40	.MPRESS1
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.MPRESS1	0x1000	0x123a000	0x869a00	6956b435ab7567e7706f315e89ade418	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.MPRESS2	0x123b000	0xf20	0x1000	006d332fbd96b950972f24e93d6c10c7	False	0.548828125	data	5.884664902513636	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x123c000	0x1f650	0x1f800	278191c907be4d7f97038651482a0e67	False	0.5691034226190477	data	6.2840827187276025	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x123c0b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.6923758865248227
RT_ICON	0x123c540	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.5171200750469043
RT_ICON	0x123d610	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.30708032651129774
RT_ICON	0x124de60	0xb7e2	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.0004461061307728
RT_ICON	0x125966c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.46621621621621623
RT_ICON	0x12597bc	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.1351156069364162
RT_ICON	0x1259d4c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.20833333333333334
RT_ICON	0x125a1dc	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.14169675090252706
RT_RCDATA	0x112f650	0x1b350	empty	English	United States	0
RT_RCDATA	0x114a9a0	0x2758	empty	English	United States	0
RT_RCDATA	0x114d0f8	0x80a	empty	English	United States	0
RT_RCDATA	0x114d904	0x72598	empty	English	United States	0
RT_RCDATA	0x11bfe9c	0x27d2	empty	English	United States	0
RT_RCDATA	0x11c2670	0x80a	empty	English	United States	0
RT_RCDATA	0x11c2e7c	0x77798	empty	English	United States	0
RT_GROUP_ICON	0x125ad28	0x3e	data	English	United States	0.8064516129032258
RT_GROUP_ICON	0x125ad90	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x125ae10	0xdc	data	English	United States	0.6545454545454545
RT_MANIFEST	0x125af2c	0x723	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3973727422003284

Imports

DLL	Import
KERNEL32.DLL	GetModuleHandleA, GetProcAddress
USER32.dll	wsprintfA
GDI32.dll	CreateCompatibleBitmap
ADVAPI32.dll	RegQueryValueExA
SHELL32.dll	ShellExecuteA
ole32.dll	CoInitialize
WS2_32.dll	WSAStartup
CRYPT32.dll	CryptUnprotectData
SHLWAPI.dll	PathFindExtensionA
gdiplus.dll	GdipGetImageEncoders
SETUPAPI.dll	SetupDiEnumDeviceInfo
ntdll.dll	RtlUnicodeStringToAnsiString
RstrtMgr.DLL	RmStartSession

Exports

Name	Ordinal	Address
Start	1	0x461330

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/26/24-05:44:00.242345	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	50500	49732	193.233.132.226	192.168.2.4
04/26/24-05:44:55.687467	TCP	2046268	ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Get_settings)	49732	50500	192.168.2.4	193.233.132.226
04/26/24-05:43:59.949956	TCP	2049060	ET TROJAN RisePro TCP Heartbeat Packet	49732	50500	192.168.2.4	193.233.132.226
04/26/24-05:45:36.095343	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49732	50500	192.168.2.4	193.233.132.226
04/26/24-05:44:53.704210	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	50500	49732	193.233.132.226	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 05:43:59.627837896 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:43:59.935012102 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:43:59.935127020 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:43:59.949955940 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:44:00.242345095 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:44:00.282594919 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:44:00.297143936 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:44:03.376449108 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:44:03.725370884 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:44:35.673566103 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:44:36.020914078 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:44:53.704210043 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:44:53.751429081 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:44:53.956110001 CEST	49740	443	192.168.2.4	34.117.186.192
Apr 26, 2024 05:44:53.956140041 CEST	443	49740	34.117.186.192	192.168.2.4
Apr 26, 2024 05:44:53.956201077 CEST	49740	443	192.168.2.4	34.117.186.192
Apr 26, 2024 05:44:53.959692001 CEST	49740	443	192.168.2.4	34.117.186.192
Apr 26, 2024 05:44:53.959705114 CEST	443	49740	34.117.186.192	192.168.2.4
Apr 26, 2024 05:44:54.332813978 CEST	443	49740	34.117.186.192	192.168.2.4
Apr 26, 2024 05:44:54.332906961 CEST	49740	443	192.168.2.4	34.117.186.192
Apr 26, 2024 05:44:54.334362030 CEST	49740	443	192.168.2.4	34.117.186.192
Apr 26, 2024 05:44:54.334367990 CEST	443	49740	34.117.186.192	192.168.2.4
Apr 26, 2024 05:44:54.334733009 CEST	443	49740	34.117.186.192	192.168.2.4
Apr 26, 2024 05:44:54.376409054 CEST	49740	443	192.168.2.4	34.117.186.192
Apr 26, 2024 05:44:54.384241104 CEST	49740	443	192.168.2.4	34.117.186.192
Apr 26, 2024 05:44:54.428170919 CEST	443	49740	34.117.186.192	192.168.2.4
Apr 26, 2024 05:44:54.712310076 CEST	443	49740	34.117.186.192	192.168.2.4
Apr 26, 2024 05:44:54.712644100 CEST	443	49740	34.117.186.192	192.168.2.4
Apr 26, 2024 05:44:54.712824106 CEST	49740	443	192.168.2.4	34.117.186.192
Apr 26, 2024 05:44:54.718921900 CEST	49740	443	192.168.2.4	34.117.186.192
Apr 26, 2024 05:44:54.718921900 CEST	49740	443	192.168.2.4	34.117.186.192
Apr 26, 2024 05:44:54.718944073 CEST	443	49740	34.117.186.192	192.168.2.4
Apr 26, 2024 05:44:54.718952894 CEST	443	49740	34.117.186.192	192.168.2.4
Apr 26, 2024 05:44:54.872183084 CEST	49741	443	192.168.2.4	172.67.75.166
Apr 26, 2024 05:44:54.872210026 CEST	443	49741	172.67.75.166	192.168.2.4
Apr 26, 2024 05:44:54.872302055 CEST	49741	443	192.168.2.4	172.67.75.166
Apr 26, 2024 05:44:54.872720003 CEST	49741	443	192.168.2.4	172.67.75.166
Apr 26, 2024 05:44:54.872739077 CEST	443	49741	172.67.75.166	192.168.2.4
Apr 26, 2024 05:44:55.192425966 CEST	443	49741	172.67.75.166	192.168.2.4
Apr 26, 2024 05:44:55.192567110 CEST	49741	443	192.168.2.4	172.67.75.166
Apr 26, 2024 05:44:55.194108963 CEST	49741	443	192.168.2.4	172.67.75.166
Apr 26, 2024 05:44:55.194114923 CEST	443	49741	172.67.75.166	192.168.2.4
Apr 26, 2024 05:44:55.194593906 CEST	443	49741	172.67.75.166	192.168.2.4
Apr 26, 2024 05:44:55.195785046 CEST	49741	443	192.168.2.4	172.67.75.166
Apr 26, 2024 05:44:55.240119934 CEST	443	49741	172.67.75.166	192.168.2.4
Apr 26, 2024 05:44:55.423114061 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:44:55.470153093 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:44:55.686225891 CEST	443	49741	172.67.75.166	192.168.2.4
Apr 26, 2024 05:44:55.686593056 CEST	443	49741	172.67.75.166	192.168.2.4
Apr 26, 2024 05:44:55.686777115 CEST	49741	443	192.168.2.4	172.67.75.166
Apr 26, 2024 05:44:55.686933994 CEST	49741	443	192.168.2.4	172.67.75.166
Apr 26, 2024 05:44:55.686944962 CEST	443	49741	172.67.75.166	192.168.2.4
Apr 26, 2024 05:44:55.686955929 CEST	49741	443	192.168.2.4	172.67.75.166
Apr 26, 2024 05:44:55.686961889 CEST	443	49741	172.67.75.166	192.168.2.4
Apr 26, 2024 05:44:55.687467098 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:44:56.035784006 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:44:57.602844000 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:44:57.657840967 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:44:59.390281916 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:44:59.407844067 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:44:59.809062004 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:45:01.019835949 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:45:01.063944101 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:45:01.860594988 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:45:02.211577892 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:45:05.001576900 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:45:05.409440041 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:45:23.544864893 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:45:23.595206976 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:45:23.642149925 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:45:24.009287119 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:45:36.095343113 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:45:36.508893967 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:45:54.432549000 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:45:54.485946894 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:45:55.546716928 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:45:55.579740047 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:45:56.011888027 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:45:56.273870945 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:45:56.329591990 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:45:57.597668886 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:45:57.642226934 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:45:59.544809103 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:45:59.549988031 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:45:59.856925011 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:45:59.857039928 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:45:59.857074022 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:45:59.857108116 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:45:59.857144117 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:45:59.857182980 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:45:59.857224941 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:45:59.857260942 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:45:59.857352018 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:45:59.910062075 CEST	49742	80	192.168.2.4	5.42.66.10
Apr 26, 2024 05:46:00.165440083 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.165488005 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.165563107 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.165582895 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.165647984 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.165680885 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.165718079 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.165800095 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.165898085 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.166098118 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.166151047 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.166177988 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.166208982 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.166265011 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.166323900 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.166349888 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.166418076 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.214061975 CEST	80	49742	5.42.66.10	192.168.2.4
Apr 26, 2024 05:46:00.214169025 CEST	49742	80	192.168.2.4	5.42.66.10
Apr 26, 2024 05:46:00.473407030 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.473495960 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.473525047 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.473624945 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.473818064 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.473850965 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.473891973 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.473922014 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.473965883 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.473984003 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.474019051 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.474050999 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.474124908 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.474164009 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.474237919 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.474270105 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.474344015 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.474359989 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.474437952 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.474617958 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.474651098 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.474695921 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.474735022 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.474766016 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.474838972 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.474929094 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.781641960 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.781755924 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.781790018 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.781852961 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.781922102 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.782000065 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.782119989 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.782203913 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.782322884 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.782381058 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.782416105 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.782531977 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.782603979 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.782708883 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.782720089 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.782809973 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.782840014 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.782912016 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:00.910442114 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:00.910666943 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.360865116 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.509607077 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.509659052 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.509687901 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.509730101 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.511127949 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.511161089 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.511332035 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.511408091 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.511483908 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.511531115 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.668282032 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.817660093 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.817714930 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.817749023 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.817840099 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.819221020 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.819293976 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.819529057 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.819605112 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.819905043 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.819957972 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.820197105 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.820274115 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.820296049 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.820353031 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.820530891 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.820596933 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.821150064 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.821166039 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.821181059 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.821213007 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.821260929 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.821275949 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.821326971 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.821341991 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.821449041 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.821464062 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.821537018 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.821557999 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.821571112 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.821621895 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.821669102 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.821682930 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.821727037 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.821768045 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.821866989 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.821908951 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.821932077 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.821971893 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.822438955 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.822499990 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.822627068 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.822696924 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.822736025 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.822802067 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.823117018 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.823179960 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.823514938 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.823529959 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.823601007 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.823631048 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.823693991 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.823808908 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.823860884 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.823873043 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.823916912 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.823924065 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.823950052 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.824023008 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.824183941 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.824253082 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.824553967 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.824640989 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.824681044 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.824750900 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.825552940 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.825620890 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.825635910 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.825680971 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.826102018 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.826153040 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.826210022 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.826220036 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.826226950 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.826294899 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.826416016 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.826478958 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.826751947 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.826792002 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.826811075 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.826868057 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.826942921 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.827008009 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.827013969 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.827069998 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.827141047 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.827156067 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.827224016 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.827244043 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.827300072 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.827513933 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.827528000 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.827600002 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.827708006 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.827763081 CEST	49732	50500	192.168.2.4	193.233.132.226
Apr 26, 2024 05:46:01.827780008 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.827979088 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.828097105 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.828243017 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:01.910556078 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.125170946 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.125226021 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.125572920 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.125787973 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.126471043 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.126524925 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.126871109 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.126996994 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.127063990 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.127213955 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.127289057 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.128010988 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.128137112 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.128242016 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.128285885 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.128317118 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.128348112 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.128381014 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.128412008 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.128598928 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.128631115 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.128781080 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.129031897 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.129148960 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.129182100 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.129352093 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.129384041 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.129554987 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.129748106 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.129904032 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.129936934 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.130116940 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.130203962 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.130399942 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.130776882 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.130808115 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.130839109 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.130913973 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.130947113 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.131002903 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.131211042 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.131580114 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.131663084 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.131964922 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.132170916 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.132261992 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.132294893 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.132325888 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.132612944 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.132729053 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.132896900 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.133131027 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.133172989 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.133487940 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.133568048 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.134108067 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.134140015 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.134176016 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.134207964 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.134238005 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.134268999 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.134355068 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.134743929 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.134778023 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.134942055 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.135035992 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.135576010 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.135607958 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.135827065 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.135991096 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.136470079 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.136959076 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.136991978 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.137052059 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.137132883 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.137334108 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.137428999 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.137460947 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.137515068 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.137597084 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.137733936 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.138020992 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.138386011 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.138417959 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.138780117 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.138812065 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.138844967 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.139096975 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.139130116 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.139235020 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.139755964 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.139787912 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.139914989 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.140006065 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.140081882 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.140141964 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.140175104 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.140225887 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.140259027 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.140290022 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.140321970 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.140521049 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.140625954 CEST	50500	49732	193.233.132.226	192.168.2.4
Apr 26, 2024 05:46:02.140810966 CEST	50500	49732	193.233.132.226	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 05:44:53.803080082 CEST	49924	53	192.168.2.4	1.1.1.1
Apr 26, 2024 05:44:53.950670958 CEST	53	49924	1.1.1.1	192.168.2.4
Apr 26, 2024 05:44:54.720726967 CEST	49870	53	192.168.2.4	1.1.1.1
Apr 26, 2024 05:44:54.870719910 CEST	53	49870	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 05:44:53.803080082 CEST	192.168.2.4	1.1.1.1	0xbabb	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Apr 26, 2024 05:44:54.720726967 CEST	192.168.2.4	1.1.1.1	0x1973	Standard query (0)	db-ip.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 05:44:53.950670958 CEST	1.1.1.1	192.168.2.4	0xbabb	No error (0)	ipinfo.io	34.117.186.192	A (IP address)	IN (0x0001)	false
Apr 26, 2024 05:44:54.870719910 CEST	1.1.1.1	192.168.2.4	0x1973	No error (0)	db-ip.com	172.67.75.166	A (IP address)	IN (0x0001)	false
Apr 26, 2024 05:44:54.870719910 CEST	1.1.1.1	192.168.2.4	0x1973	No error (0)	db-ip.com	104.26.4.15	A (IP address)	IN (0x0001)	false
Apr 26, 2024 05:44:54.870719910 CEST	1.1.1.1	192.168.2.4	0x1973	No error (0)	db-ip.com	104.26.5.15	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

https:

ipinfo.io

db-ip.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49740	34.117.186.192	443	6884	C:\Users\user\Desktop\j1zkOQTx4q.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 03:44:54 UTC	240	OUT	GET /widget/demo/102.129.152.220 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: ipinfo.io
2024-04-26 03:44:54 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Fri, 26 Apr 2024 03:44:54 GMT content-type: application/json; charset=utf-8 Content-Length: 1020 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 03:44:54 UTC	741	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 32 30 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 32 30 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4d 69 61 6d 69 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 46 6c 6f 72 69 64 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 32 35 2e 37 37 34 33 2c 2d 38 30 2e 31 39 33 37 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 33 31 30 31 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d Data Ascii: { "input": "102.129.152.220", "data": { "ip": "102.129.152.220", "city": "Miami", "region": "Florida", "country": "US", "loc": "25.7743,-80.1937", "org": "AS174 Cogent Communications", "postal": "33101", "timezone": "Am
2024-04-26 03:44:54 UTC	279	IN	Data Raw: 61 64 64 72 65 73 73 22 3a 20 22 47 72 6f 75 6e 64 20 46 6c 6f 6f 72 2c 20 34 20 56 69 63 74 6f 72 69 61 20 53 71 75 61 72 65 2c 20 53 74 20 41 6c 62 61 6e 73 2c 20 61 64 64 72 65 73 73 3a 20 48 65 72 74 66 6f 72 64 73 68 69 72 65 2c 20 4c 6f 6e 64 6f 6e 2c 20 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 4c 54 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 70 61 75 6c 69 75 73 2e 7a 40 69 70 78 6f 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 50 61 75 6c 69 75 73 20 5a 61 75 72 61 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 30 32 2e 31 32 39 2e 31 32 38 2e 30 2f 31 37 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 74 65 6c 3a 2b 33 37 Data Ascii: address": "Ground Floor, 4 Victoria Square, St Albans, address: Hertfordshire, London, United Kingdom", "country": "LT", "email": "paulius.z@ipxo.com", "name": "Paulius Zaura", "network": "102.129.128.0/17", "phone": "tel:+37

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49741	172.67.75.166	443	6884	C:\Users\user\Desktop\j1zkOQTx4q.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 03:44:55 UTC	264	OUT	GET /demo/home.php?s=102.129.152.220 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Host: db-ip.com
2024-04-26 03:44:55 UTC	660	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 03:44:55 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC465318:6A7E_93878F2E:0050_662B2337_9EBBC72:7B63 x-iplb-instance: 59128 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Nt2tLq7BW%2F79zZaBuM7V%2F3GvajXlaWv4B1wsLRpROGiFImVq0HYGK6YbdGTKYiou%2F%2FO%2FhEPLjRc6UaT9uxuiE3p59niU2m%2BJAFtBRUNeH7JSbl4jEfnrQMNdUg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a393ba79ee2239-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 03:44:55 UTC	709	IN	Data Raw: 32 63 35 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 32 30 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 Data Ascii: 2c5{"status":"ok","demoInfo":{"ipAddress":"102.129.152.220","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","language
2024-04-26 03:44:55 UTC	7	IN	Data Raw: 6f 77 22 7d 7d 0d 0a Data Ascii: ow"}}
2024-04-26 03:44:55 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: j1zkOQTx4q.exePID: 6884, Parent PID: 2580

General

Target ID:	0
Start time:	05:43:54
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\j1zkOQTx4q.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\j1zkOQTx4q.exe"
Imagebase:	0x400000
File size:	8'976'008 bytes
MD5 hash:	C49A9A589AF8DA0D09C69670B2579AB9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.2895460297.0000000006420000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.2889823463.0000000001A21000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report j1zkOQTx4q.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Boot Survival

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\adobe25HiBSyPbReV\Cookies\Chrome_Default.txt

C:\Users\user\AppData\Local\Temp\adobe25HiBSyPbReV\History\Firefox_fqs92o4p.default-release.txt

C:\Users\user\AppData\Local\Temp\adobe25HiBSyPbReV\information.txt

C:\Users\user\AppData\Local\Temp\adobe25HiBSyPbReV\passwords.txt

C:\Users\user\AppData\Local\Temp\adobe25HiBSyPbReV\screenshot.png

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\02zdBXl47cvzcookies.sqlite

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\3b6N2Xdh3CYwplaces.sqlite

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\44JkKLWCBNJ9History

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\4SpdqMeYgXg6Web Data

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\6D9jUVJ0_DSUWeb Data

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\6k0OzpAvOhwWLogin Data

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\B0tQxZcgttPJWeb Data

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\D4TGfpPH4IPOWeb Data

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\D87fZN3R3jFeplaces.sqlite

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\Dh4UFB9VlaROHistory

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\Dsx8sDItJfv3Login Data

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\Zu2ikoLeiECZWeb Data

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\cIlG5Y0qTb9_History

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\iYfCU4QVZjt3Web Data

C:\Users\user\AppData\Local\Temp\heidi25HiBSyPbReV\xvIioM0C1FXzHistory

Windows Analysis Report
j1zkOQTx4q.exe