Windows Analysis Report file.exe

Snort IDS alert for network traffic

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49734 version: TLS 1.2

Networking

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49732 -> 45.15.156.9:50500
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 45.15.156.9:50500 -> 192.168.2.4:49732

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 45.15.156.9:50500

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 104.26.4.15 104.26.4.15

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

May check the online IP address of the machine

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /widget/demo/102.129.152.220 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.129.152.220 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E04EB0 recv,setsockopt,recv,recv,recv,setsockopt,recv,recv,Sleep,Sleep,

0_2_00E04EB0

Source: global traffic	HTTP traffic detected: GET /widget/demo/102.129.152.220 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.129.152.220 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: file.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=102.129.152.220
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=102.129.152.2206
Source: file.exe, 00000000.00000002.1898640165.0000000001C42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=102.129.152.220
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000002.1898640165.0000000001C62000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: file.exe, 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: file.exe, 00000000.00000002.1898640165.0000000001C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/s
Source: file.exe, 00000000.00000002.1898640165.0000000001C7C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/102.129.152.220
Source: file.exe, 00000000.00000002.1898640165.0000000001C90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/x
Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/102.129.152.220
Source: file.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: file.exe, 00000000.00000003.1745080751.00000000066B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1747119459.00000000066D1000.00000004.00000020.00020000.00000000.sdmp, Rxxkzr6lX3hbHistory.0.dr, e5Yph_sHMcOsHistory.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Rxxkzr6lX3hbHistory.0.dr, e5Yph_sHMcOsHistory.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: file.exe, 00000000.00000003.1745080751.00000000066B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1747119459.00000000066D1000.00000004.00000020.00020000.00000000.sdmp, Rxxkzr6lX3hbHistory.0.dr, e5Yph_sHMcOsHistory.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Rxxkzr6lX3hbHistory.0.dr, e5Yph_sHMcOsHistory.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: file.exe, 00000000.00000002.1898640165.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1899360370.0000000006660000.00000004.00000020.00020000.00000000.sdmp, gaUkmAzGb_el0KBPcRFr18l.zip.0.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr	String found in binary or memory: https://t.me/risepro_bot
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot)
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot52.220
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botdd
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp, Firefox_fqs92o4p.default-release.txt.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/7
Source: file.exe, 00000000.00000002.1899360370.000000000669E000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/m
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp, Firefox_fqs92o4p.default-release.txt.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/Dragon
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/efox/
Source: file.exe, 00000000.00000002.1899360370.000000000669E000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/r

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49734 version: TLS 1.2

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DBF730	0_2_00DBF730
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4B8E0	0_2_00D4B8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC2100	0_2_00DC2100
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010C65C2	0_2_010C65C2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7C950	0_2_00D7C950
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7A918	0_2_00D7A918
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D98BA0	0_2_00D98BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED72CE	0_2_00ED72CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010D757B	0_2_010D757B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6F570	0_2_00D6F570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E2BFC0	0_2_00E2BFC0

One or more processes crash

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 1776

PE / OLE file has an invalid certificate

Source: file.exe

Static PE information: invalid certificate

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.spyw.evad.winEXE@2/28@2/3

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7484

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\trixyKRfwTJj1oH7F

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: file.exe, 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000003.1744279670.0000000001D17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1744631467.0000000001D17000.00000004.00000020.00020000.00000000.sdmp, UgGJ3iGDvYBdLogin Data For Account.0.dr, ThP4m_kOyXD9Login Data.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

Virustotal: Detection: 22%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 1776

Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Entry point lies outside standard sections

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 4114680 > 1048576

Source: file.exe

Static PE information: Raw size of .vmp is bigger than: 0x100000 < 0x3ca600

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name: .vmp
Source: file.exe	Static PE information: section name: .vmp
Source: file.exe	Static PE information: section name: .vmp

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F4ECBE push ecx; retf	0_2_00F4ED37
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDEC0E push ecx; iretd	0_2_00F106DE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010FCCA2 push 0000006Dh; ret	0_2_010FCCFF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA8FD6 push CBA5C98Ch; retf	0_2_00FA8FDF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106797F push 205360DBh; ret	0_2_01067998
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010698D2 push ebp; ret	0_2_01069907
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FCBA43 push 205360DBh; ret	0_2_01067998
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F61F5F push edx; retf	0_2_00EFF50E

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 1C00005 value: E9 2B BA 2C 75	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 76ECBA30 value: E9 DA 45 D3 8A	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 1C10008 value: E9 8B 8E 30 75	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 76F18E90 value: E9 80 71 CF 8A	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 35D0005 value: E9 8B 4D 62 72	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 75BF4D90 value: E9 7A B2 9D 8D	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 35E0005 value: E9 EB EB 62 72	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 75C0EBF0 value: E9 1A 14 9D 8D	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 35F0005 value: E9 8B 8A 9E 71	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 74FD8A90 value: E9 7A 75 61 8E	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 3600005 value: E9 2B 02 A0 71	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 75000230 value: E9 DA FD 5F 8E	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\file.exe

Stalling execution: Execution stalls by calling Sleep

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0118654D rdtsc

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: file.exe, 00000000.00000003.1752417902.00000000066C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7163F936
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: file.exe, 00000000.00000003.1696606277.0000000001C86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000000.00000002.1898640165.0000000001C72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWS
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: file.exe, 00000000.00000002.1899493695.00000000066C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}T
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: file.exe, 00000000.00000003.1696606277.0000000001C86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0118654D rdtsc

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D7360D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_00D7360D

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Yara match	File source: 00000000.00000002.1899360370.0000000006660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1756945593.000000000677F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7484, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gaUkmAzGb_el0KBPcRFr18l.zip, type: DROPPED

Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\walletsSqP=
Source: file.exe, 00000000.00000003.1752417902.00000000066B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets
Source: file.exe, 00000000.00000002.1898640165.0000000001C7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Jaxx\Local Storage
Source: file.exe, 00000000.00000003.1752417902.00000000066C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: file.exe, 00000000.00000003.1752417902.00000000066C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe, 00000000.00000002.1899493695.00000000066C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: file.exe, 00000000.00000002.1899493695.00000000066C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7484, type: MEMORYSTR

Remote Access Functionality

Multi AV Scanner detection for submitted file

Source: Yara match	File source: 00000000.00000002.1899360370.0000000006660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1756945593.000000000677F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7484, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gaUkmAzGb_el0KBPcRFr18l.zip, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
45.15.156.9	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	true
104.26.4.15	db-ip.com	United States	13335	CLOUDFLARENETUS	false

Contacted Domains

Name	IP	Active
ipinfo.io	34.117.186.192	true
db-ip.com	104.26.4.15	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/widget/demo/102.129.152.220	false		high
https://db-ip.com/demo/home.php?s=102.129.152.220	false		high

AV Detection

Source: file.exe

Virustotal: Detection: 22%

Perma Link

Snort IDS alert for network traffic

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49734 version: TLS 1.2

Networking

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49732 -> 45.15.156.9:50500
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 45.15.156.9:50500 -> 192.168.2.4:49732

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 45.15.156.9:50500

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 104.26.4.15 104.26.4.15

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

May check the online IP address of the machine

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: GET /widget/demo/102.129.152.220 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.129.152.220 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E04EB0 recv,setsockopt,recv,recv,recv,setsockopt,recv,recv,Sleep,Sleep,

0_2_00E04EB0

Source: global traffic	HTTP traffic detected: GET /widget/demo/102.129.152.220 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.129.152.220 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: file.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=102.129.152.220
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=102.129.152.2206
Source: file.exe, 00000000.00000002.1898640165.0000000001C42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=102.129.152.220
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000002.1898640165.0000000001C62000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: file.exe, 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: file.exe, 00000000.00000002.1898640165.0000000001C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/s
Source: file.exe, 00000000.00000002.1898640165.0000000001C7C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/102.129.152.220
Source: file.exe, 00000000.00000002.1898640165.0000000001C90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/x
Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/102.129.152.220
Source: file.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: file.exe, 00000000.00000003.1745080751.00000000066B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1747119459.00000000066D1000.00000004.00000020.00020000.00000000.sdmp, Rxxkzr6lX3hbHistory.0.dr, e5Yph_sHMcOsHistory.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Rxxkzr6lX3hbHistory.0.dr, e5Yph_sHMcOsHistory.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: file.exe, 00000000.00000003.1745080751.00000000066B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1747119459.00000000066D1000.00000004.00000020.00020000.00000000.sdmp, Rxxkzr6lX3hbHistory.0.dr, e5Yph_sHMcOsHistory.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Rxxkzr6lX3hbHistory.0.dr, e5Yph_sHMcOsHistory.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: file.exe, 00000000.00000002.1898640165.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1899360370.0000000006660000.00000004.00000020.00020000.00000000.sdmp, gaUkmAzGb_el0KBPcRFr18l.zip.0.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr	String found in binary or memory: https://t.me/risepro_bot
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot)
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot52.220
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botdd
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp, Firefox_fqs92o4p.default-release.txt.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/7
Source: file.exe, 00000000.00000002.1899360370.000000000669E000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/m
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp, Firefox_fqs92o4p.default-release.txt.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/Dragon
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/efox/
Source: file.exe, 00000000.00000002.1899360370.000000000669E000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/r

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49734 version: TLS 1.2

Detected potential crypto function

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DBF730	0_2_00DBF730
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4B8E0	0_2_00D4B8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC2100	0_2_00DC2100
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010C65C2	0_2_010C65C2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7C950	0_2_00D7C950
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7A918	0_2_00D7A918
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D98BA0	0_2_00D98BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED72CE	0_2_00ED72CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010D757B	0_2_010D757B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6F570	0_2_00D6F570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E2BFC0	0_2_00E2BFC0

One or more processes crash

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 1776

PE / OLE file has an invalid certificate

Source: file.exe

Static PE information: invalid certificate

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.spyw.evad.winEXE@2/28@2/3

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7484

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\trixyKRfwTJj1oH7F

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: file.exe, 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000003.1744279670.0000000001D17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1744631467.0000000001D17000.00000004.00000020.00020000.00000000.sdmp, UgGJ3iGDvYBdLogin Data For Account.0.dr, ThP4m_kOyXD9Login Data.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

Virustotal: Detection: 22%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 1776

Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Entry point lies outside standard sections

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 4114680 > 1048576

Source: file.exe

Static PE information: Raw size of .vmp is bigger than: 0x100000 < 0x3ca600

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp

PE file contains sections with non-standard names

Source: file.exe	Static PE information: section name: .vmp
Source: file.exe	Static PE information: section name: .vmp
Source: file.exe	Static PE information: section name: .vmp

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F4ECBE push ecx; retf	0_2_00F4ED37
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDEC0E push ecx; iretd	0_2_00F106DE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010FCCA2 push 0000006Dh; ret	0_2_010FCCFF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA8FD6 push CBA5C98Ch; retf	0_2_00FA8FDF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106797F push 205360DBh; ret	0_2_01067998
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010698D2 push ebp; ret	0_2_01069907
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FCBA43 push 205360DBh; ret	0_2_01067998
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F61F5F push edx; retf	0_2_00EFF50E

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 1C00005 value: E9 2B BA 2C 75	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 76ECBA30 value: E9 DA 45 D3 8A	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 1C10008 value: E9 8B 8E 30 75	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 76F18E90 value: E9 80 71 CF 8A	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 35D0005 value: E9 8B 4D 62 72	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 75BF4D90 value: E9 7A B2 9D 8D	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 35E0005 value: E9 EB EB 62 72	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 75C0EBF0 value: E9 1A 14 9D 8D	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 35F0005 value: E9 8B 8A 9E 71	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 74FD8A90 value: E9 7A 75 61 8E	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 3600005 value: E9 2B 02 A0 71	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 75000230 value: E9 DA FD 5F 8E	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\file.exe

Stalling execution: Execution stalls by calling Sleep

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0118654D rdtsc

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: file.exe, 00000000.00000003.1752417902.00000000066C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7163F936
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: file.exe, 00000000.00000003.1696606277.0000000001C86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000000.00000002.1898640165.0000000001C72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWS
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: file.exe, 00000000.00000002.1899493695.00000000066C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}T
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: file.exe, 00000000.00000003.1696606277.0000000001C86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0118654D rdtsc

Queries information about the installed CPU (vendor, model number etc)

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D7360D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_00D7360D

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

AV process strings found (often used to terminate AV products)

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Yara match	File source: 00000000.00000002.1899360370.0000000006660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1756945593.000000000677F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7484, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gaUkmAzGb_el0KBPcRFr18l.zip, type: DROPPED

Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\walletsSqP=
Source: file.exe, 00000000.00000003.1752417902.00000000066B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets
Source: file.exe, 00000000.00000002.1898640165.0000000001C7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Jaxx\Local Storage
Source: file.exe, 00000000.00000003.1752417902.00000000066C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: file.exe, 00000000.00000003.1752417902.00000000066C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe, 00000000.00000002.1899493695.00000000066C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: file.exe, 00000000.00000002.1899493695.00000000066C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7484, type: MEMORYSTR

Remote Access Functionality