Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1432049
MD5:	661c97c107efc1d69510c2c4ea7aad09
SHA1:	90a923d3c504672057fbdc3fbf42c3be8db5fd8c
SHA256:	be630b379514bcea2ea2bb6285c966812b818b49c345ff5ce2ee2e714543f5dd
Tags:	exe
Infos:

Detection

RisePro Stealer

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Entry point lies outside standard sections

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 7484 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 661C97C107EFC1D69510C2C4EA7AAD09)

WerFault.exe (PID: 7692 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 1776 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\gaUkmAzGb_el0KBPcRFr18l.zip	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1899360370.0000000006660000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000003.1756945593.000000000677F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 7484	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: file.exe PID: 7484	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 45.15.156.9 - Destination IP: 192.168.2.4

Timestamp:	04/26/24-11:06:02.426603
SID:	2046266
Source Port:	50500
Destination Port:	49732
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 45.15.156.9

Timestamp:	04/26/24-11:06:02.187295
SID:	2049060
Source Port:	49732
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

Virustotal: Detection: 22%

Perma Link

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49734 version: TLS 1.2

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.4:49732 -> 45.15.156.9:50500
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 45.15.156.9:50500 -> 192.168.2.4:49732

Source: global traffic

TCP traffic: 192.168.2.4:49732 -> 45.15.156.9:50500

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 104.26.4.15 104.26.4.15

Source: Joe Sandbox View

ASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /widget/demo/102.129.152.220 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.129.152.220 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9
Source: unknown	TCP traffic detected without corresponding DNS query: 45.15.156.9

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E04EB0 recv,setsockopt,recv,recv,recv,setsockopt,recv,recv,Sleep,Sleep,

0_2_00E04EB0

Source: global traffic	HTTP traffic detected: GET /widget/demo/102.129.152.220 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=102.129.152.220 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: file.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: Amcache.hve.3.dr	String found in binary or memory: http://upx.sf.net
Source: file.exe, 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=102.129.152.220
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=102.129.152.2206
Source: file.exe, 00000000.00000002.1898640165.0000000001C42000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=102.129.152.220
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000002.1898640165.0000000001C62000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: file.exe, 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: file.exe, 00000000.00000002.1898640165.0000000001C62000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/s
Source: file.exe, 00000000.00000002.1898640165.0000000001C7C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/102.129.152.220
Source: file.exe, 00000000.00000002.1898640165.0000000001C90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/x
Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/102.129.152.220
Source: file.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: file.exe, 00000000.00000003.1745080751.00000000066B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1747119459.00000000066D1000.00000004.00000020.00020000.00000000.sdmp, Rxxkzr6lX3hbHistory.0.dr, e5Yph_sHMcOsHistory.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: Rxxkzr6lX3hbHistory.0.dr, e5Yph_sHMcOsHistory.0.dr	String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: file.exe, 00000000.00000003.1745080751.00000000066B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1747119459.00000000066D1000.00000004.00000020.00020000.00000000.sdmp, Rxxkzr6lX3hbHistory.0.dr, e5Yph_sHMcOsHistory.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: Rxxkzr6lX3hbHistory.0.dr, e5Yph_sHMcOsHistory.0.dr	String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: file.exe, 00000000.00000002.1898640165.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1899360370.0000000006660000.00000004.00000020.00020000.00000000.sdmp, gaUkmAzGb_el0KBPcRFr18l.zip.0.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr	String found in binary or memory: https://t.me/risepro_bot
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot)
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot52.220
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botdd
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp, Firefox_fqs92o4p.default-release.txt.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/7
Source: file.exe, 00000000.00000002.1899360370.000000000669E000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/m
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp, Firefox_fqs92o4p.default-release.txt.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/Dragon
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/efox/
Source: file.exe, 00000000.00000002.1899360370.000000000669E000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/r

Source: unknown	Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown	Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49734

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.4:49733 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.4:49734 version: TLS 1.2

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DBF730	0_2_00DBF730
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D4B8E0	0_2_00D4B8E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00DC2100	0_2_00DC2100
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010C65C2	0_2_010C65C2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7C950	0_2_00D7C950
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D7A918	0_2_00D7A918
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D98BA0	0_2_00D98BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00ED72CE	0_2_00ED72CE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010D757B	0_2_010D757B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00D6F570	0_2_00D6F570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E2BFC0	0_2_00E2BFC0

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 1776

Source: file.exe

Static PE information: invalid certificate

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.spyw.evad.winEXE@2/28@2/3

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7484

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\trixyKRfwTJj1oH7F

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000003.1744279670.0000000001D17000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1744631467.0000000001D17000.00000004.00000020.00020000.00000000.sdmp, UgGJ3iGDvYBdLogin Data For Account.0.dr, ThP4m_kOyXD9Login Data.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe

Virustotal: Detection: 22%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 1776

Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 4114680 > 1048576

Source: file.exe

Static PE information: Raw size of .vmp is bigger than: 0x100000 < 0x3ca600

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp

Source: file.exe	Static PE information: section name: .vmp
Source: file.exe	Static PE information: section name: .vmp
Source: file.exe	Static PE information: section name: .vmp

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F4ECBE push ecx; retf	0_2_00F4ED37
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FDEC0E push ecx; iretd	0_2_00F106DE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010FCCA2 push 0000006Dh; ret	0_2_010FCCFF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FA8FD6 push CBA5C98Ch; retf	0_2_00FA8FDF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0106797F push 205360DBh; ret	0_2_01067998
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_010698D2 push ebp; ret	0_2_01069907
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00FCBA43 push 205360DBh; ret	0_2_01067998
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00F61F5F push edx; retf	0_2_00EFF50E

Hooking and other Techniques for Hiding and Protection

Overwrites code with unconditional jumps - possibly settings hooks in foreign process

Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 1C00005 value: E9 2B BA 2C 75	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 76ECBA30 value: E9 DA 45 D3 8A	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 1C10008 value: E9 8B 8E 30 75	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 76F18E90 value: E9 80 71 CF 8A	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 35D0005 value: E9 8B 4D 62 72	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 75BF4D90 value: E9 7A B2 9D 8D	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 35E0005 value: E9 EB EB 62 72	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 75C0EBF0 value: E9 1A 14 9D 8D	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 35F0005 value: E9 8B 8A 9E 71	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 74FD8A90 value: E9 7A 75 61 8E	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 3600005 value: E9 2B 02 A0 71	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 7484 base: 75000230 value: E9 DA FD 5F 8E	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\file.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-40533

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0118654D rdtsc

0_2_0118654D

Source: Amcache.hve.3.dr	Binary or memory string: VMware
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.3.dr	Binary or memory string: VMware, Inc.
Source: file.exe, 00000000.00000003.1752417902.00000000066C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7163F936
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.3.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: file.exe, 00000000.00000003.1696606277.0000000001C86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.3.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: file.exe, 00000000.00000002.1898640165.0000000001C72000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.3.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.3.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.3.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.3.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.3.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.3.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWS
Source: Amcache.hve.3.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.3.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.3.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.3.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.3.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.3.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.3.dr	Binary or memory string: VMware Virtual RAM
Source: file.exe, 00000000.00000002.1899493695.00000000066C6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}T
Source: Amcache.hve.3.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: file.exe, 00000000.00000003.1696606277.0000000001C86000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: Amcache.hve.3.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0118654D rdtsc

0_2_0118654D

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00D7360D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_00D7360D

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.3.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.3.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 00000000.00000002.1899360370.0000000006660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1756945593.000000000677F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7484, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gaUkmAzGb_el0KBPcRFr18l.zip, type: DROPPED

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\walletsSqP=
Source: file.exe, 00000000.00000003.1752417902.00000000066B6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \ElectronCash\wallets
Source: file.exe, 00000000.00000002.1898640165.0000000001C7C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Jaxx\Local Storage
Source: file.exe, 00000000.00000003.1752417902.00000000066C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: file.exe, 00000000.00000003.1752417902.00000000066C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe, 00000000.00000002.1899493695.00000000066C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets
Source: file.exe, 00000000.00000002.1899493695.00000000066C6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Source: file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\signons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\formhistory.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\signons.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\z6bny8rn.default\logins.json	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT	Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior

Source: Yara match	File source: 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7484, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 00000000.00000002.1899360370.0000000006660000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1756945593.000000000677F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7484, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gaUkmAzGb_el0KBPcRFr18l.zip, type: DROPPED

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 Process Injection	1 Masquerading	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Virtualization/Sandbox Evasion	1 Credential API Hooking	1 Query Registry	Remote Desktop Protocol	1 Credential API Hooking	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Process Injection	Security Account Manager	31 Security Software Discovery	SMB/Windows Admin Shares	1 Archive Collected Data	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Virtualization/Sandbox Evasion	Distributed Component Object Model	2 Data from Local System	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	24 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
file.exe	22%	Virustotal		Browse

Dropped Files

⊘No Antivirus matches

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
https://sectigo.com/CPS0	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.186.192	true	false		high
db-ip.com	104.26.4.15	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/widget/demo/102.129.152.220	false		high
https://db-ip.com/demo/home.php?s=102.129.152.220	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	false		high
https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF	D87fZN3R3jFeplaces.sqlite.0.dr	false		high
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	false		high
https://sectigo.com/CPS0	file.exe	false	URL Reputation: safe URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	false		high
http://ocsp.sectigo.com0	file.exe	false	URL Reputation: safe URL Reputation: safe	unknown
https://db-ip.com/	file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	file.exe, 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	false		high
http://upx.sf.net	Amcache.hve.3.dr	false		high
https://t.me/RiseProSUPPORT	file.exe, 00000000.00000002.1898640165.0000000001C27000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1899360370.0000000006660000.00000004.00000020.00020000.00000000.sdmp, gaUkmAzGb_el0KBPcRFr18l.zip.0.dr	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016	file.exe, 00000000.00000003.1745080751.00000000066B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1747119459.00000000066D1000.00000004.00000020.00020000.00000000.sdmp, Rxxkzr6lX3hbHistory.0.dr, e5Yph_sHMcOsHistory.0.dr	false		high
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17	file.exe, 00000000.00000003.1745080751.00000000066B5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1747119459.00000000066D1000.00000004.00000020.00020000.00000000.sdmp, Rxxkzr6lX3hbHistory.0.dr, e5Yph_sHMcOsHistory.0.dr	false		high
https://www.ecosia.org/newtab/	file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	false		high
https://ipinfo.io/Mozilla/5.0	file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	D87fZN3R3jFeplaces.sqlite.0.dr	false		high
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	false		high
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	file.exe	false	URL Reputation: safe	unknown
https://ipinfo.io/x	file.exe, 00000000.00000002.1898640165.0000000001C90000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_bot	file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr	false		high
https://db-ip.com/demo/home.php?s=102.129.152.2206	file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_botdd	file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io:443/widget/demo/102.129.152.220	file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://db-ip.com:443/demo/home.php?s=102.129.152.220	file.exe, 00000000.00000002.1898640165.0000000001C42000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/risepro_bot)	file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipinfo.io/	file.exe, 00000000.00000002.1898640165.0000000001C62000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1898640165.0000000001C9A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	file.exe	false	URL Reputation: safe URL Reputation: safe	unknown
https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install	Rxxkzr6lX3hbHistory.0.dr, e5Yph_sHMcOsHistory.0.dr	false		high
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	false		high
https://ipinfo.io/s	file.exe, 00000000.00000002.1898640165.0000000001C62000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.winimage.com/zLibDll	file.exe, 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmp	false		high
https://t.me/risepro_bot52.220	file.exe, 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support.mozilla.org	D87fZN3R3jFeplaces.sqlite.0.dr	false		high
https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples	Rxxkzr6lX3hbHistory.0.dr, e5Yph_sHMcOsHistory.0.dr	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000003.1747648747.00000000066F2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1745526102.00000000066C7000.00000004.00000020.00020000.00000000.sdmp, 1WonyWgTlWBJWeb Data.0.dr, LJ0Ouc26bvKFWeb Data.0.dr, nG2tiL1Y5ubwWeb Data.0.dr	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
45.15.156.9	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	true
104.26.4.15	db-ip.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1432049
Start date and time:	2024-04-26 11:05:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal84.troj.spyw.evad.winEXE@2/28@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:06:21	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.186.192	SecuriteInfo.com.Win32.Evo-gen.24318.16217.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win32.Evo-gen.28489.31883.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Raptor.HardwareService.Setup 1.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	w.sh	Get hash	malicious	Xmrig	Browse	/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	uUsgzQ3DoW.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
	8BZBgbeCcz.exe	Get hash	malicious	RedLine	Browse	ipinfo.io/ip
45.15.156.9	2qlPnQB9U0.exe	Get hash	malicious	Unknown	Browse	45.15.156.9/ping.php?hwid=0453C53E
104.26.4.15	#Ud3ec#Ud2b8#Ud3f4#Ub9ac#Uc624.exe	Get hash	malicious	Nemty, Xmrig	Browse	api.db-ip.com/v2/free/102.129.152.212/countryName

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	j1zkOQTx4q.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	PureLog Stealer, RisePro Stealer, zgRAT	Browse	34.117.186.192
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	34.117.186.192
	http://crunchersflowdigital.com	Get hash	malicious	Unknown	Browse	34.117.186.192
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	TeaiGames.exe	Get hash	malicious	NovaSentinel	Browse	34.117.186.192
	ShadowFury.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
	ShadowFury.exe	Get hash	malicious	Unknown	Browse	34.117.186.192
db-ip.com	j1zkOQTx4q.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	file.exe	Get hash	malicious	PureLog Stealer, RisePro Stealer, zgRAT	Browse	172.67.75.166
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	104.26.5.15
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	104.26.5.15
	file.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	ygm2mXUReY.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	file.exe	Get hash	malicious	RisePro Stealer	Browse	172.67.75.166
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	104.26.5.15
	2q45IEa3Ee.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	104.26.5.15

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	j1zkOQTx4q.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	http://www.vacationscenter.mx	Get hash	malicious	Unknown	Browse	34.117.118.44
	https://url.us.m.mimecastprotect.com/s/qkT5Cv2pWyUOjZODty9fnF?domain=google.com	Get hash	malicious	Unknown	Browse	34.117.250.57
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	file.exe	Get hash	malicious	PureLog Stealer, RisePro Stealer, zgRAT	Browse	34.117.186.192
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	34.117.186.192
	0ar3q66pGv.elf	Get hash	malicious	Mirai	Browse	34.116.69.95
	http://94.156.79.129/x86_64	Get hash	malicious	Unknown	Browse	34.117.121.53
	http://94.156.79.129/i686	Get hash	malicious	Unknown	Browse	34.117.121.53
	http://crunchersflowdigital.com	Get hash	malicious	Unknown	Browse	34.117.186.192
RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	j1zkOQTx4q.exe	Get hash	malicious	RisePro Stealer	Browse	5.42.66.10
	f6FauZ2CEz.exe	Get hash	malicious	RedLine	Browse	5.42.92.179
	file.exe	Get hash	malicious	PureLog Stealer, RisePro Stealer, zgRAT	Browse	45.15.156.9
	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.96
	file.exe	Get hash	malicious	Unknown	Browse	5.42.66.10
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	5.42.66.10
	file.exe	Get hash	malicious	Glupteba, Mars Stealer, PureLog Stealer, Vidar, zgRAT	Browse	5.42.66.10
	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.96
	c3nBx2HQG2.exe	Get hash	malicious	Glupteba, Mars Stealer, Phorpiex, PureLog Stealer, Stealc, Vidar, zgRAT	Browse	5.42.66.10
	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.96
CLOUDFLARENETUS	https://deebmpapst.ordineproposal.top/	Get hash	malicious	Unknown	Browse	104.17.2.184
	Statement of Account PDF.bat.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	https://powerpointmicrosoftoffice.top/	Get hash	malicious	Unknown	Browse	104.17.3.184
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:d35aec95-f365-414c-8371-68e6d7d2ec41	Get hash	malicious	Unknown	Browse	104.17.28.92
	150-425-2024.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	CHEMICAL SPECIFICATIONS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Payment.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	https://usigroups-my.sharepoint.com/:o:/p/js/Es3HdUJZlbVJngCJE-Z7JCYBUTZvd1ZCMQwZhhlQoy_hDw?e=mT2aQm	Get hash	malicious	HTMLPhisher	Browse	172.67.144.70
	SOA FOR APR 2024 PDF.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.12.205
	http://householdshop.club/	Get hash	malicious	Unknown	Browse	104.17.25.14

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	http://cleverchoice.com.au	Get hash	malicious	Unknown	Browse	34.117.186.192 104.26.4.15
	https://therufus.org/download.php	Get hash	malicious	Unknown	Browse	34.117.186.192 104.26.4.15
	j1zkOQTx4q.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192 104.26.4.15
	VoGtelkHSn.exe	Get hash	malicious	LummaC	Browse	34.117.186.192 104.26.4.15
	SecuriteInfo.com.MSExcel.CVE_2017_0199.DDOC.exploit.32374.20351.xlsx	Get hash	malicious	Unknown	Browse	34.117.186.192 104.26.4.15
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192 104.26.4.15
	file.exe	Get hash	malicious	PureLog Stealer, RisePro Stealer, zgRAT	Browse	34.117.186.192 104.26.4.15
	SecuriteInfo.com.Win32.Evo-gen.19638.13648.exe	Get hash	malicious	DBatLoader	Browse	34.117.186.192 104.26.4.15
	file.exe	Get hash	malicious	LummaC	Browse	34.117.186.192 104.26.4.15
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse	34.117.186.192 104.26.4.15

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_ff31866d17fa18c7913366427148ad386_8682c2da_5ca5d425-8a52-4555-bdfc-fbe386d59aef\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0453041501471347
Encrypted:	false
SSDEEP:	192:8iB7MYZtvRPFPw0LnaII3j/ZrUyjcKzuiFWZ24IO8TVB:FNbDRtPLLnaPjyKzuiFWY4IO8X
MD5:	F323BA6BF012D2B3F7D2D69A3BABA004
SHA1:	D6B844B5BD4B08F7443CA7BA3D39E791E6016444
SHA-256:	10E55CA9DA0633A8DDB4E7CB5BECE0C84152AE44F6FEAFACF24942C5F555B77C
SHA-512:	91BDB9D395C92F7CF64F1173C4ABBC02A27F7D7FA1D719AE14447DD31AFE77B2A59F4E9B603A8320F85FA44EA398BBB70D9A17CF3D685983E529056FD7DCF5BA
Malicious:	false
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.5.8.5.9.5.9.7.0.8.3.6.9.0.7.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.5.8.5.9.5.9.7.1.3.0.5.6.6.6.4.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.c.a.5.d.4.2.5.-.8.a.5.2.-.4.5.5.5.-.b.d.f.c.-.f.b.e.3.8.6.d.5.9.a.e.f.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.b.1.c.6.b.6.-.d.4.b.b.-.4.3.4.6.-.8.1.7.5.-.9.7.3.7.4.2.9.6.9.1.b.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.f.i.l.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.3.c.-.0.0.0.1.-.0.0.1.4.-.c.d.c.a.-.6.6.f.4.b.8.9.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.e.1.8.d.e.1.d.d.f.2.9.2.f.5.c.3.e.0.8.f.2.f.9.3.7.1.c.0.c.4.a.5.0.0.0.0.0.9.0.4.!.0.0.0.0.9.0.a.9.2.3.d.3.c.5.0.4.6.7.2.0.5.7.f.b.d.c.3.f.b.f.4.2.c.3.b.e.8.d.b.5.f.d.8.c.!.f.i.l.e...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.2.4././.0.4.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE007.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Fri Apr 26 09:06:11 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	100640
Entropy (8bit):	2.013335064595714
Encrypted:	false
SSDEEP:	384:E3mzvVPuMRtvkste0Q4qpzr/JN8MzVHsGhDtdQo2VZEyKGY2sV5s3Eu:qmzvRtvkstIHZjMV
MD5:	6FBBD37E8077841608CDBD733068448E
SHA1:	EF2BA196A7D9974F50EAB86C8FA02143C68D810D
SHA-256:	B4C2DAD4985039BAA94589DE1A768402F949AEA1DABBA6CC2FC1FBBD99B6BB5F
SHA-512:	CC756CC2FC668EDD361F40D9E9C7B87D6CC347154A4E973CF8347C42519975D94D82DFCD0F0840DCD361F39ACD7F33D91EB1548DDDA6E99D42F29801D260C2A1
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........n+f....................................l....#......$....G..........`.......8...........T...........@H...@...........$...........%..............................................................................eJ.......&......GenuineIntel............T.......<...wn+f.............................0..2...............W... .E.u.r.o.p.e. .S.t.a.n.d.a.r.d. .T.i.m.e.......................................W... .E.u.r.o.p.e. .S.u.m.m.e.r. .T.i.m.e...........................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0F3.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8362
Entropy (8bit):	3.6973699778685862
Encrypted:	false
SSDEEP:	192:R6l7wVeJNC76R6Y9tSURrgmfBjgJJEprt89bJBsftB7iDm:R6lXJU6R6YnSURrgmflgJJrJ6ftNP
MD5:	03C0CD9B88DB39A3D76B8936E06C6FA6
SHA1:	54331A7170B6E71D79B07BEB73BAA3A5BA2B03D5
SHA-256:	93A807116390AB34B238B982B35B209B31F12F3F4EE37B4CD44050AE5DA7941C
SHA-512:	C1CCA91FE5E92026A56CCF86190AA898F826774F44D33F35CBD3BF2AC27BE8650E79FF6E1B8D174C83B627ED03F7153B18EB15413CAEFEFAE98EB51457542986
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.8.4.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE113.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4612
Entropy (8bit):	4.485616011345078
Encrypted:	false
SSDEEP:	48:cvIwWl8zsHJg77aI9n8WpW8VYmYm8M4JDX7yFR3+q8Qpx81jAwygIqwhQd:uIjfpI7V17VWJDU3v01jogIqwhQd
MD5:	F6A0DB1CADC69C0CEF23375F5F02658F
SHA1:	CC2064C0A69024966D1B2FB618875C7E63232A08
SHA-256:	71729E4885F31CAC87DC809452D8E6788BE7F9616B0D40DD6BBE00040721C967
SHA-512:	C391C5C73D246CA156DEF29C2908C223E8A8CCBE35FF1D20ABB7DCABDCFD91FD83526AD60B64161E25C7352AD45711CD36FD13B28037F144C6117117E9084C98
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="296648" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Temp\gaUkmAzGb_el0KBPcRFr18l.zip

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	682693
Entropy (8bit):	7.997726461352831
Encrypted:	true
SSDEEP:	12288:B7xVTNIXI3zlzcUu/pxN46wOgOLa24fU1ppBWu5/LFwQwFu59Ili9b+SmUXOVe8Q:1/xyCzNI5wLOei1nBtp/XvAqLmUXOVe5
MD5:	5C5364317FE56EE9B669063CCCF2E628
SHA1:	53C95FB3C96283DB1ECE644EC9E517F0BD312427
SHA-256:	7F7DB8524A80E42428B79A4DB5E618210F1B0EF844AA3CD33EEDA26403A0ECDF
SHA-512:	8E555A8CDFEF62D5E1B0DADC1D5687A7FCC5EE52B7CA7AC4BBF61253656D8BD690AAC9D78B6B724EFF288DFA3062A9C0237ADE9988092231D900740AB30F624E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\gaUkmAzGb_el0KBPcRFr18l.zip, Author: Joe Security
Reputation:	low
Preview:	PK.........X.X................Cookies\..PK.........X.XQn.+............Cookies\Chrome_Default.txt.G..r...U.#.5C.....s$..-.D...7.\..$.G.)o....:....Z.C.f_..pm............"..t..t....}.k.@...a.2+P`.0.x.>....s..k%.._..b..P..((......B.....`.7..-m..JY..F....E..l.....I..&.....<J..M.......,V...)b.....Q..k......M?.5L....h}......X..'.0..tB.G...\;.a....4.......B4.......J.4.6.y:....4.-.UfE...3Ap.U5UX....Z.g:e.j.C..Bw..........e..a^.vU:....$..U......B..`._.e.....+...9.{u...7.e...H.]02...%yR".0...x...P<..N....R.}....{.G...;..c..x...kw.'S>.d\|.....B..k.9.t.!>.rh...~n.[....s#/....`.!..Kb8%&.vZB`....O\|.....>K......L...d0..03..t...T&.......`N.xp.."..J.......Q.....c..5...).Z.91.6.j..G.....Wr...a.52!..(^.U.....6....dB.D.^...7..0H.\J9.H.$^`e"..d...\....B.8Z=.qeP.3Y.>..'W.X..T..>z...,..K......g....%B.w4#...;.[]u\|....v...3.;L..U?..b.....u....... .......F...P.a...\|R3.=......r.:.64...#D..^..>.A..ZT.]E........t...f...1..3.....`...X.....C.]%...p.p.ym

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\02zdBXl47cvzcookies.sqlite

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\1WonyWgTlWBJWeb Data

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\3b6N2Xdh3CYwplaces.sqlite

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\D87fZN3R3jFeplaces.sqlite

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.037963276276857943
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
MD5:	C0FDF21AE11A6D1FA1201D502614B622
SHA1:	11724034A1CC915B061316A96E79E9DA6A00ADE8
SHA-256:	FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
SHA-512:	A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\GQbFHuRC5t7nLogin Data

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.8180424350137764
Encrypted:	false
SSDEEP:	96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
MD5:	349E6EB110E34A08924D92F6B334801D
SHA1:	BDFB289DAFF51890CC71697B6322AA4B35EC9169
SHA-256:	C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
SHA-512:	2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\LJ0Ouc26bvKFWeb Data

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\OGqN14Hqc_tTHistory

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\RrlgkTLYOV84Cookies

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.5793180405395284
Encrypted:	false
SSDEEP:	96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
MD5:	41EA9A4112F057AE6BA17E2838AEAC26
SHA1:	F2B389103BFD1A1A050C4857A995B09FEAFE8903
SHA-256:	CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
SHA-512:	29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\Rxxkzr6lX3hbHistory

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\ThP4m_kOyXD9Login Data

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\UgGJ3iGDvYBdLogin Data For Account

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\e5Yph_sHMcOsHistory

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	159744
Entropy (8bit):	0.7873599747470391
Encrypted:	false
SSDEEP:	96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
MD5:	6A6BAD38068B0F6F2CADC6464C4FE8F0
SHA1:	4E3B235898D8E900548613DDB6EA59CDA5EB4E68
SHA-256:	0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
SHA-512:	BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
Malicious:	false
Preview:	SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\l4mPY5f2P8ThHistory

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	126976
Entropy (8bit):	0.47147045728725767
Encrypted:	false
SSDEEP:	96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
MD5:	A2D1F4CF66465F9F0CAC61C4A95C7EDE
SHA1:	BA6A845E247B221AAEC96C4213E1FD3744B10A27
SHA-256:	B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
SHA-512:	C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\nCO5UlAAWThWWeb Data

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\nG2tiL1Y5ubwWeb Data

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1358696453229276
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
MD5:	28591AA4E12D1C4FC761BE7C0A468622
SHA1:	BC4968A84C19377D05A8BB3F208FBFAC49F4820B
SHA-256:	51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
SHA-512:	5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\qapciQaJUl5zWeb Data

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\sNnNIz9ALqmOWeb Data

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	114688
Entropy (8bit):	0.9746603542602881
Encrypted:	false
SSDEEP:	192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
MD5:	780853CDDEAEE8DE70F28A4B255A600B
SHA1:	AD7A5DA33F7AD12946153C497E990720B09005ED
SHA-256:	1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
SHA-512:	E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
Malicious:	false
Preview:	SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\trixyKRfwTJj1oH7F\Cookies\Chrome_Default.txt

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with very long lines (769), with CRLF line terminators
Category:	dropped
Size (bytes):	6085
Entropy (8bit):	6.038274200863744
Encrypted:	false
SSDEEP:	96:gxsumX/xKO2KbcRfbZJ5Jxjxcx1xcbza5BC126oxgxA26Fxr/CxbTxqCGYURxOeb:gWFXZQHRFJ5Pts7c3avC126Ygb6Lr/WY
MD5:	ACB5AD34236C58F9F7D219FB628E3B58
SHA1:	02E39404CA22F1368C46A7B8398F5F6001DB8F5C
SHA-256:	05E5013B848C2E619226F9E7A084DC7DCD1B3D68EE45108F552DB113D21B49D1
SHA-512:	5895F39765BA3CEDFD47D57203FD7E716347CD79277EDDCDC83A729A86E2E59F03F0E7B6B0D0E7C7A383755001EDACC82171052BE801E015E6BF7E6B9595767F
Malicious:	false
Preview:	.google.com.TRUE./.TRUE.1712145003.NID.ENC893_djEw3+k+F2A/rK1XOX2BXUq6pY2LBCOzoXODiJnrrvDbDsPWiYwKZowg9PxHqkTm37HpwC52rXpnuUFrQMpV3iKtdSHegOm+XguZZ6tGaCY2hGVyR8JgIqQma1WLXyhCiWqjou7/c3qSeaKyNoUKHa4TULX4ZnNNtXFoCuZcBAAy4tYcz+0BF4j/0Pg+MgV+s7367kYcjO4q3zwc+XorjSs7PlgWlYrcc55rCJplhJ+H13M00HIdLm+1t9PACck2xxSWX2DsA61sEDJCHEc=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.FALSE./.TRUE.1696413835..AspNetCore.AuthProvider.ENC893_djEwVWJCCNyFkY3ZM/58ZZ/F/bz9H1yPvi6FOaroXC+KU8E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.Correlation.mdRqPJxLbpyv7vX0eK9YkTR-xwcrW3VBLE4Y3HEvxuU.ENC893_djEwBAKLrkJs5PZ6BD7Beoa9N/bOSh5JtRch10gZT+E=_b3i0u6LLcKCMUaF/UlQgEPSL9PtLZ21CuT1dJkfCzME=..support.microsoft.com.TRUE./signin-oidc.TRUE.1696414135..AspNetCore.OpenIdConnect.Nonce.CfDJ8Kiuy_B5JgFMo7PeP95NLhqwcJ8koDy5pXkfoWsb5SbbU2hVCbsH2qt9GF_OVCqFkLEwhvzeADNQOF5RSmkDfh5RqfqlOkx5QWo4Lltvwb0CvwBFD8ujlm3BAglOeGca3ZatkLMUkH

C:\Users\user\AppData\Local\Temp\trixyKRfwTJj1oH7F\History\Firefox_fqs92o4p.default-release.txt

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	112
Entropy (8bit):	4.911305722693245
Encrypted:	false
SSDEEP:	3:N8DSLvIJiMgTE2WdkQUl7R8DSLvIJiMhKVX3L2WdkQUlv:2OLciodq7R8OLciA8dqv
MD5:	978B9515D3688A43726604AC169DF379
SHA1:	D61293AB99332FC45CAE37D78AB17A5DA5BCD189
SHA-256:	CDEF3FB1CE312E4B67DC5F1B1F9FB551241C08564FDB26AFA4CBF448BB02EA65
SHA-512:	86146AA576129B73743B1EBC0BC60880FDA58A11498048B3C68284C4520F1ADC324D016696B0E995A51AC56966E0F38B0AF12458A986868701C6AAAA89C829CB
Malicious:	false
Preview:	https://www.mozilla.org/privacy/firefox/.1696333827..https://www.mozilla.org/en-US/privacy/firefox/.1696333827..

C:\Users\user\AppData\Local\Temp\trixyKRfwTJj1oH7F\information.txt

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	6578
Entropy (8bit):	5.393536152761999
Encrypted:	false
SSDEEP:	96:xrhUX5RsMcT4Aisph+9hcm4ozWqbnMAANUbg3x:x2uMvAtphWhcmRzWCQB
MD5:	A87B717AB3416F3EFFB7617D5E9BC503
SHA1:	A03F63B6528403E047C859D3764611BF35BC67A4
SHA-256:	D17F3191EBD234E2E12820B1E07F169975520CAD929733DCAC561CAF2EDE11EA
SHA-512:	EADBF76071620E58FA818B372EE2227595A4751C4438DF72130A4704734908AB00529080EECDC94B5A2608B4DEFDA49C0EEA20F7A4361FDF8DBCFF3BB0264099
Malicious:	false
Preview:	Build: 2 method..Version: 1.9....Date: Fri Apr 26 11:06:06 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 82f169a586bb406a4ea01ed248d057d8....Path: C:\Users\user\Desktop\file.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixyKRfwTJj1oH7F....IP: 102.129.152.220..Location: US, Miami..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 910646 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 26/4/2024 11:6:6..TimeZone: UTC1....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [324]..csrss.exe [408]..wininit.exe [484]..csrss.exe [492]..winlogon.exe [552]..services.exe [620]..lsass.exe [628]..svchost.exe [752]..fontdrvhost.exe [776]..fontdrvhost.exe [784]..s

C:\Users\user\AppData\Local\Temp\trixyKRfwTJj1oH7F\passwords.txt

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	Unicode text, UTF-8 text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	4897
Entropy (8bit):	2.518316437186352
Encrypted:	false
SSDEEP:	48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
MD5:	B3E9D0E1B8207AA74CB8812BAAF52EAE
SHA1:	A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
SHA-256:	4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
SHA-512:	B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\trixyKRfwTJj1oH7F\screenshot.png

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	694803
Entropy (8bit):	7.926990286530075
Encrypted:	false
SSDEEP:	12288:0MfOlYUQ8lm8cucFVuBW2Prl3vy+mYkhicXNAZm2AaY1ZlyGflqFzLngnWy:0+jUQ3l09Pp3a+jkhTXufAJ1ZAGdAz7A
MD5:	5197E300B883745269B55B3D632AFDCA
SHA1:	1745A7ACE8AE581ECC066E7EF86852E32432C150
SHA-256:	2B26C45D5788B47C29A3E6B9EE41182428DC8599D4D35431DC4A360FBC55FD8F
SHA-512:	718AB8AB2B5B0240F026F0B944B519A7BBE6FA681DBB3793D19E4149A2D507D9CAF1D2CF182C2E25A199271B2269E0DAF15D6C5A57D2AFA093B4BA87F595303D
Malicious:	false
Preview:	.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^....]....V..}_w.w...'...}....xw<N..69(.s2.....6...LN"g!.m0.v.`2.$.DN.$...B..6v......U.[i..%........s.-....j.Z..7C....M.ssc+.....m._66....0.._.9......z...7#...x_.d,...\8L..u.v.........-..z.v...8.~..M.Y.7).9.:b.L..%.3.-.8}..O[..S....6.oj'....'....+*.z.~.=1..W.c_.+.......o/...U.~ky.....Y..o....._.{.....X1p...s....%%.v..WFG._.i.`..??]..>2.0..../>]1....}1.Wl..\|.%...........\|....}.D...b...G<^.5.v<h...c.\|...O=6.;o..~$.._.&\|.04......Hb...SK....>.....1O0f..a...'".=.&r....q............{.0.<..~0...!.U..x4L<4.q..a.......x.vn.....C.....9...V...{..a`..C}.E.....'>..xo1.. .v.A...1gRl'..y........9.q..>.Rkc..z.9.ah.Ea.~q.......$.{.W.&..P.t@.7.m...}..}.{...{.......}ob`.....=..a.~.Z...qw.....>........g..?....M.......=..=...\.{...q>.............=.0...D.Gl`V.wf........R..n.~#.......}.0+.k...XK;iV\33...c.......apZ.n..S. .<07y....._...P..W....S........8...

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465264856402223
Encrypted:	false
SSDEEP:	6144:YIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uNPdwBCswSbv:NXD94+WlLZMM6YFH1+v
MD5:	25CEC659CF9437E08507DFC09B68FD7F
SHA1:	DC36DE33C526A9852FE066D5112DFC0B0786E139
SHA-256:	0DAB69FFBBD1C8BF43B268FE55613B55B35581A80456F134E3AE17E83A601142
SHA-512:	215464F2CA30EE35AFBA2EBCA40AF960AA1DCD4D35DA2E50F67CDE02C16DE97CCAE48ED7351C7DD12EE755002C659A3A7EE3FE11597628A069AE27C50797A823
Malicious:	false
Preview:	regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.]Q..................................................................................................................................................................................................................................................................................................................................................PG.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.951628183843546
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	4'114'680 bytes
MD5:	661c97c107efc1d69510c2c4ea7aad09
SHA1:	90a923d3c504672057fbdc3fbf42c3be8db5fd8c
SHA256:	be630b379514bcea2ea2bb6285c966812b818b49c345ff5ce2ee2e714543f5dd
SHA512:	f1555908939608c7d6ed5a7399244f89e36aa2c7c16553c90bef1773cfb4c6ab03bf5826df16a33c47b310558a0f756d8532fe57ad3dbf8b2b6ccba46786ddc5
SSDEEP:	98304:a3K5NmPuOHVVLMvyTEZX9D4EoCckgOC6299LDmZkzvEaa:wK5N+HVWW6jdckNRNyz8aa
TLSH:	CC16339E3BD25078CCA926F48F02B67C76B61D6892718C5D58987EDE9FF3261B032143
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...^.%f...............'............b.\|...........@..........................P......4K?...@................................

File Icon


Icon Hash:	781a1a3a391cb894

Static PE Info

General

Entrypoint:	0xbc0262
Entrypoint Section:	.vmp
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6625EF5E [Mon Apr 22 05:02:22 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	fce2185f86316405847dae4f4adccdc7

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=AVG Technologies USA LLC \u2122\u2030\u2122\u2030\u2122\u2030
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	06/01/2024 10:14:42 07/01/2034 10:14:42
Subject Chain	CN=AVG Technologies USA LLC \u2122\u2030\u2122\u2030\u2122\u2030
Version:	3
Thumbprint MD5:	27F5DD79C86B9255242DDB29A51B691E
Thumbprint SHA-1:	44268FBAA5D87BA1717C7237701B06FA20E9AF66
Thumbprint SHA-256:	1C39A7BBBC7445339DEFD55E21DFA65CDEB9037F0FD33140759077C31CB40BE0
Serial:	59AE1233E1806897438DF0EEC7051E17

Entrypoint Preview

Instruction
push ebx
mov ebx, 6EBC27B4h
pushfd
and ebx, 651E5094h
mov ebx, dword ptr [esp+ebx-641C0090h]
mov dword ptr [esp+04h], 1B929A7Eh
push dword ptr [esp+00h]
popfd
lea esp, dword ptr [esp+04h]
call 00007F24F49DC691h
mov dword ptr [esp+08h], edx
mov eax, 7510083Dh
mov dword ptr [esp+eax-75100839h], ebp
pop ebp
pushfd
movsx ebp, ax
idiv al
push ebx
shl eax, FFFFFFE3h
push ebp
mov dword ptr [esp+ebp-00000825h], esi
call 00007F24F49D0E04h
mov dword ptr fs:[edx], eax
jmp 00007F24F49DAD72h
jp 00007F24F4ADFFE3h
nop
dec ebx
xor al, EAh
mov ecx, 6DC49C53h
hlt
sbb dword ptr [esi-31h], 65AABDC0h
out dx, al
aaa
or byte ptr [ebp+63h], ch
mov word ptr [ebx], ds
mov esp, dword ptr [ecx-61E76508h]
outsd
pop eax
or byte ptr [edi+41h], ch
inc ebx
cmp cl, dl
push ebx
push edi
add ecx, dword ptr [esi-436E1D5Bh]
mov dh, FAh
push eax
push eax
or al, DBh
pop ecx
push EB96E493h
push 9D0D581Bh
mov eax, dword ptr [esp+04h]
movzx ax, byte ptr [ebp+00h]
mov cl, byte ptr [ebp+02h]
add ebp, 00000002h
ror dword ptr [esp+02h], 6Dh
neg byte ptr [esp+06h]
shl al, cl
jmp 00007F24F49CA84Eh
pop ebp
lea edi, dword ptr [eax+eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x47078c	0x140	.vmp
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x816000	0x1e0bb	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3eb000	0x18f8	.vmp
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x814000	0x1a1c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x46a4bc	0x18	.vmp
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x812bf0	0x40	.vmp
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x448000	0x8c	.vmp
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x808ccc	0x40	.vmp
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x158af8	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x15a000	0x27b5a	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x182000	0x4930	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp	0x187000	0x2c089c	0x0	d41d8cd98f00b204e9800998ecf8427e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.vmp	0x448000	0x72c	0x800	d62e229aa06b51daee1a6a37990968b1	False	0.0546875	data	0.3471760150721117	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.vmp	0x449000	0x3ca4a0	0x3ca600	202c35d9854032aed55077a4c75d3d1c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.reloc	0x814000	0x1a1c	0x1c00	9e82593e38e947b89b158a8aede1802b	False	0.32407924107142855	data	5.641335708691851	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.rsrc	0x816000	0x1e0bb	0x1e200	99108fac43aa1f989c944990edca1a42	False	0.5130154304979253	data	5.960372030973446	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x8162b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	United States	0.6196808510638298
RT_ICON	0x816718	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	United States	0.44301125703564725
RT_ICON	0x8177c0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	United States	0.2436265231278836
RT_ICON	0x827fe8	0xa4b1	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9979602001850051
RT_ICON	0x83249c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.46621621621621623
RT_ICON	0x8325c4	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.1351156069364162
RT_ICON	0x832b2c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.20833333333333334
RT_ICON	0x832f94	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.14169675090252706
RT_GROUP_ICON	0x83383c	0x3e	data	English	United States	0.8064516129032258
RT_GROUP_ICON	0x83387c	0x3e	data	English	United States	0.8387096774193549
RT_VERSION	0x8338bc	0xdc	data	English	United States	0.6545454545454545
RT_MANIFEST	0x833998	0x723	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.3973727422003284

Imports

DLL	Import
KERNEL32.dll	GetVersionExA
USER32.dll	wsprintfA
GDI32.dll	CreateCompatibleBitmap
ADVAPI32.dll	RegQueryValueExA
SHELL32.dll	ShellExecuteA
ole32.dll	CoInitialize
WS2_32.dll	WSAStartup
CRYPT32.dll	CryptUnprotectData
SHLWAPI.dll	PathFindExtensionA
gdiplus.dll	GdipGetImageEncoders
SETUPAPI.dll	SetupDiEnumDeviceInfo
ntdll.dll	RtlUnicodeStringToAnsiString
RstrtMgr.DLL	RmStartSession
KERNEL32.dll	GetSystemTimeAsFileTime
KERNEL32.dll	HeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/26/24-11:06:02.426603	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	50500	49732	45.15.156.9	192.168.2.4
04/26/24-11:06:02.187295	TCP	2049060	ET TROJAN RisePro TCP Heartbeat Packet	49732	50500	192.168.2.4	45.15.156.9

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 11:06:01.917092085 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:02.171797991 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:02.172065973 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:02.187294960 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:02.426603079 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:02.479125023 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:02.482173920 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:02.733758926 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:02.775979996 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:02.854365110 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:02.932451963 CEST	49733	443	192.168.2.4	34.117.186.192
Apr 26, 2024 11:06:02.932491064 CEST	443	49733	34.117.186.192	192.168.2.4
Apr 26, 2024 11:06:02.932568073 CEST	49733	443	192.168.2.4	34.117.186.192
Apr 26, 2024 11:06:02.935981989 CEST	49733	443	192.168.2.4	34.117.186.192
Apr 26, 2024 11:06:02.935997009 CEST	443	49733	34.117.186.192	192.168.2.4
Apr 26, 2024 11:06:03.149221897 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:03.272475004 CEST	443	49733	34.117.186.192	192.168.2.4
Apr 26, 2024 11:06:03.272568941 CEST	49733	443	192.168.2.4	34.117.186.192
Apr 26, 2024 11:06:03.278506994 CEST	49733	443	192.168.2.4	34.117.186.192
Apr 26, 2024 11:06:03.278517962 CEST	443	49733	34.117.186.192	192.168.2.4
Apr 26, 2024 11:06:03.278917074 CEST	443	49733	34.117.186.192	192.168.2.4
Apr 26, 2024 11:06:03.322901011 CEST	49733	443	192.168.2.4	34.117.186.192
Apr 26, 2024 11:06:03.346611023 CEST	49733	443	192.168.2.4	34.117.186.192
Apr 26, 2024 11:06:03.392124891 CEST	443	49733	34.117.186.192	192.168.2.4
Apr 26, 2024 11:06:03.600184917 CEST	443	49733	34.117.186.192	192.168.2.4
Apr 26, 2024 11:06:03.600356102 CEST	443	49733	34.117.186.192	192.168.2.4
Apr 26, 2024 11:06:03.600419998 CEST	49733	443	192.168.2.4	34.117.186.192
Apr 26, 2024 11:06:03.603116035 CEST	49733	443	192.168.2.4	34.117.186.192
Apr 26, 2024 11:06:03.603136063 CEST	443	49733	34.117.186.192	192.168.2.4
Apr 26, 2024 11:06:03.603147030 CEST	49733	443	192.168.2.4	34.117.186.192
Apr 26, 2024 11:06:03.603152037 CEST	443	49733	34.117.186.192	192.168.2.4
Apr 26, 2024 11:06:03.734170914 CEST	49734	443	192.168.2.4	104.26.4.15
Apr 26, 2024 11:06:03.734225035 CEST	443	49734	104.26.4.15	192.168.2.4
Apr 26, 2024 11:06:03.734316111 CEST	49734	443	192.168.2.4	104.26.4.15
Apr 26, 2024 11:06:03.734755993 CEST	49734	443	192.168.2.4	104.26.4.15
Apr 26, 2024 11:06:03.734769106 CEST	443	49734	104.26.4.15	192.168.2.4
Apr 26, 2024 11:06:04.002857924 CEST	443	49734	104.26.4.15	192.168.2.4
Apr 26, 2024 11:06:04.003000021 CEST	49734	443	192.168.2.4	104.26.4.15
Apr 26, 2024 11:06:04.006805897 CEST	49734	443	192.168.2.4	104.26.4.15
Apr 26, 2024 11:06:04.006818056 CEST	443	49734	104.26.4.15	192.168.2.4
Apr 26, 2024 11:06:04.007148981 CEST	443	49734	104.26.4.15	192.168.2.4
Apr 26, 2024 11:06:04.008960009 CEST	49734	443	192.168.2.4	104.26.4.15
Apr 26, 2024 11:06:04.052134991 CEST	443	49734	104.26.4.15	192.168.2.4
Apr 26, 2024 11:06:04.424690962 CEST	443	49734	104.26.4.15	192.168.2.4
Apr 26, 2024 11:06:04.424920082 CEST	443	49734	104.26.4.15	192.168.2.4
Apr 26, 2024 11:06:04.425096989 CEST	49734	443	192.168.2.4	104.26.4.15
Apr 26, 2024 11:06:04.425189972 CEST	49734	443	192.168.2.4	104.26.4.15
Apr 26, 2024 11:06:04.425205946 CEST	443	49734	104.26.4.15	192.168.2.4
Apr 26, 2024 11:06:04.425218105 CEST	49734	443	192.168.2.4	104.26.4.15
Apr 26, 2024 11:06:04.425224066 CEST	443	49734	104.26.4.15	192.168.2.4
Apr 26, 2024 11:06:04.425864935 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:04.700517893 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:04.744740009 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:04.760631084 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:05.023027897 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:05.073040009 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:05.088799000 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:05.349571943 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:05.401005983 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:05.417047024 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:05.676086903 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:05.729269028 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:05.745122910 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:06.006787062 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:06.057246923 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:07.954155922 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:07.959615946 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.217885017 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.217902899 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.217947960 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.217967987 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.217987061 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.218007088 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.218017101 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.218064070 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.472420931 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.472505093 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.472609997 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.472625971 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.472678900 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.472708941 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.472774029 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.472807884 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.472933054 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.473064899 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.473159075 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.473171949 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.473176003 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.473258018 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.473378897 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.473447084 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.473457098 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.473551989 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.728724957 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.728743076 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.728748083 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.728751898 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.728761911 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.728773117 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.728786945 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.728797913 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.728806973 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.728816986 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.728837967 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.728913069 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.729249954 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.729262114 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.729310989 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.729424000 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.729530096 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.729590893 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.729645014 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.729773998 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.729840040 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.729939938 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.730031013 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.731225014 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.731339931 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.983491898 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.983560085 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.983627081 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.983676910 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.984221935 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.984307051 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.984776020 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.984839916 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.985187054 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.985209942 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.985222101 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.985259056 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.985291004 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.985340118 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.985852003 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.985941887 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.986001015 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.986048937 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.986057997 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.986116886 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.986124992 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.986217976 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.986455917 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.986466885 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.986529112 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.986566067 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.986625910 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.986690044 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.986761093 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.986772060 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.986793041 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.986849070 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.987144947 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.987155914 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.987190008 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.987225056 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.987294912 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.987304926 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.987381935 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.987632990 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.987673998 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.987690926 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.987740040 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.987813950 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.987874985 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.987884045 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.987912893 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.987937927 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.987946987 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:08.987962961 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:08.987989902 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.238156080 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.238411903 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.238495111 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.239126921 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.239198923 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.239290953 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.240304947 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.240406990 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.240479946 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.241806030 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.241902113 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.241987944 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.242019892 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.242130995 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.242207050 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.243324995 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.243545055 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.244205952 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.244265079 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.244323015 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.244556904 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.244651079 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.244841099 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.244874001 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.244946957 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.244947910 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.245049953 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.245312929 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.245351076 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.245393038 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.245546103 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.245629072 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.246082067 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.246150017 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.246313095 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.246387959 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.246392012 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.246398926 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.246423960 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.246501923 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.246529102 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.246588945 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.246663094 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.246740103 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.246834993 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.246951103 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.246961117 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.247015953 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.247519016 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.247642040 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.247652054 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.493133068 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.493148088 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.493238926 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.493282080 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.493355036 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.493447065 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.493453026 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.493469000 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.493525982 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.493690014 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.493700981 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.493756056 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.493917942 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.494003057 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.494035006 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.494060993 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.494071960 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.494103909 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.494103909 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.494132996 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.494149923 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.494246006 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.494313955 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.494345903 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.494395971 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.494446993 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.494446993 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.494446993 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.494482040 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.494482040 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.494494915 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.494510889 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.494535923 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.494537115 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.494539976 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.494601011 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.494601965 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.494788885 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.494800091 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.494879961 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.494879961 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.495109081 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.495157003 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.495193005 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.495234966 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.495589018 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.495640993 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.495657921 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.495699883 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.495738983 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.495738983 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.495747089 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.495788097 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.495821953 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.495826960 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:09.495840073 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.496356010 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.496457100 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.496575117 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.496854067 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.496903896 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.497456074 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.497472048 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.497543097 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.497556925 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.497602940 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.497649908 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.497764111 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.498125076 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.498183012 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.498315096 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.498364925 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.498413086 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.498579025 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.498913050 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.499011993 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.499027967 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.499074936 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.499125957 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.499183893 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.499331951 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.499833107 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.499923944 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.500068903 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.500116110 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.500130892 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.500185966 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.500381947 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.500467062 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.500570059 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.500677109 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.500724077 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.500740051 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.501058102 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.501310110 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.501359940 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.501394033 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.501773119 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.501858950 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.501869917 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.501961946 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.501971960 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.502024889 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.502038002 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.502054930 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.502064943 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.502741098 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.502774954 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.503349066 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.504132032 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.504163027 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.504339933 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.504415035 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.504425049 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.504606009 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.504631996 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.504712105 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.505126953 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.505141973 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.505182028 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.505201101 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.505409956 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.505424976 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.505776882 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.505820990 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.505839109 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.505916119 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.506313086 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.506356001 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.506479025 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.747798920 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.747836113 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.747899055 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.747915030 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.748191118 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.748404980 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.748473883 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.748541117 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.748895884 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.749062061 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.749073029 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.749232054 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.749242067 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.749249935 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.749260902 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.749270916 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.749629974 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.749869108 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.749978065 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.750199080 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.750241995 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.750286102 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.750324965 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.750400066 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.750521898 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.750581026 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.750641108 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.750655890 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.750689983 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.751125097 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.751182079 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.751235008 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:09.751280069 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:10.057261944 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:10.352150917 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:10.353445053 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:10.608920097 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:10.609524012 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:10.883264065 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:10.932687998 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:11.260497093 CEST	49732	50500	192.168.2.4	45.15.156.9
Apr 26, 2024 11:06:11.519057989 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:11.519227982 CEST	50500	49732	45.15.156.9	192.168.2.4
Apr 26, 2024 11:06:11.519316912 CEST	49732	50500	192.168.2.4	45.15.156.9

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 26, 2024 11:06:02.799535036 CEST	52414	53	192.168.2.4	1.1.1.1
Apr 26, 2024 11:06:02.924838066 CEST	53	52414	1.1.1.1	192.168.2.4
Apr 26, 2024 11:06:03.606478930 CEST	63075	53	192.168.2.4	1.1.1.1
Apr 26, 2024 11:06:03.732992887 CEST	53	63075	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 26, 2024 11:06:02.799535036 CEST	192.168.2.4	1.1.1.1	0x5054	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:06:03.606478930 CEST	192.168.2.4	1.1.1.1	0xfdf3	Standard query (0)	db-ip.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Apr 26, 2024 11:06:02.924838066 CEST	1.1.1.1	192.168.2.4	0x5054	No error (0)	ipinfo.io	34.117.186.192	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:06:03.732992887 CEST	1.1.1.1	192.168.2.4	0xfdf3	No error (0)	db-ip.com	104.26.4.15	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:06:03.732992887 CEST	1.1.1.1	192.168.2.4	0xfdf3	No error (0)	db-ip.com	104.26.5.15	A (IP address)	IN (0x0001)	false
Apr 26, 2024 11:06:03.732992887 CEST	1.1.1.1	192.168.2.4	0xfdf3	No error (0)	db-ip.com	172.67.75.166	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

https:

ipinfo.io

db-ip.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49733	34.117.186.192	443	7484	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:06:03 UTC	240	OUT	GET /widget/demo/102.129.152.220 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-04-26 09:06:03 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Fri, 26 Apr 2024 09:06:03 GMT content-type: application/json; charset=utf-8 Content-Length: 1020 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-04-26 09:06:03 UTC	741	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 32 30 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 32 30 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4d 69 61 6d 69 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 46 6c 6f 72 69 64 61 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 32 35 2e 37 37 34 33 2c 2d 38 30 2e 31 39 33 37 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 0a 20 20 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 33 33 31 30 31 22 2c 0a 20 20 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 41 6d Data Ascii: { "input": "102.129.152.220", "data": { "ip": "102.129.152.220", "city": "Miami", "region": "Florida", "country": "US", "loc": "25.7743,-80.1937", "org": "AS174 Cogent Communications", "postal": "33101", "timezone": "Am
2024-04-26 09:06:03 UTC	279	IN	Data Raw: 61 64 64 72 65 73 73 22 3a 20 22 47 72 6f 75 6e 64 20 46 6c 6f 6f 72 2c 20 34 20 56 69 63 74 6f 72 69 61 20 53 71 75 61 72 65 2c 20 53 74 20 41 6c 62 61 6e 73 2c 20 61 64 64 72 65 73 73 3a 20 48 65 72 74 66 6f 72 64 73 68 69 72 65 2c 20 4c 6f 6e 64 6f 6e 2c 20 55 6e 69 74 65 64 20 4b 69 6e 67 64 6f 6d 22 2c 0a 20 20 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 4c 54 22 2c 0a 20 20 20 20 20 20 22 65 6d 61 69 6c 22 3a 20 22 70 61 75 6c 69 75 73 2e 7a 40 69 70 78 6f 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 50 61 75 6c 69 75 73 20 5a 61 75 72 61 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 31 30 32 2e 31 32 39 2e 31 32 38 2e 30 2f 31 37 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 74 65 6c 3a 2b 33 37 Data Ascii: address": "Ground Floor, 4 Victoria Square, St Albans, address: Hertfordshire, London, United Kingdom", "country": "LT", "email": "paulius.z@ipxo.com", "name": "Paulius Zaura", "network": "102.129.128.0/17", "phone": "tel:+37

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49734	104.26.4.15	443	7484	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
2024-04-26 09:06:04 UTC	264	OUT	GET /demo/home.php?s=102.129.152.220 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-04-26 09:06:04 UTC	654	IN	HTTP/1.1 200 OK Date: Fri, 26 Apr 2024 09:06:04 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC465318:84E6_93878F2E:0050_662B6E7C_9F7367B:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aRCe2F46XPPZK0tesefg29PELquiq7GKSlWf%2F21uoAegDHKjAuJ%2FQXeqUtTR9GCJh5e9lm89GIUX0Bcxu6Zoqz7S6GGEaM1QO8eYz%2FAKfGV9o9jus3Q40t0sqg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 87a56a286ddca699-MIA alt-svc: h3=":443"; ma=86400
2024-04-26 09:06:04 UTC	715	IN	Data Raw: 32 63 35 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 31 30 32 2e 31 32 39 2e 31 35 32 2e 32 32 30 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 Data Ascii: 2c5{"status":"ok","demoInfo":{"ipAddress":"102.129.152.220","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","language
2024-04-26 09:06:04 UTC	6	IN	Data Raw: 0a 30 0d 0a 0d 0a Data Ascii: 0

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: file.exePID: 7484, Parent PID: 2580

General

Target ID:	0
Start time:	11:05:59
Start date:	26/04/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xd40000
File size:	4'114'680 bytes
MD5 hash:	661C97C107EFC1D69510C2C4EA7AAD09
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.1899360370.0000000006660000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1756945593.000000000677F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1898640165.0000000001CB4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Analysis Process: WerFault.exePID: 7692, Parent PID: 7484

General

Target ID:	3
Start time:	11:06:10
Start date:	26/04/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7484 -s 1776
Imagebase:	0xad0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: file.exePID: 7484, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	23.1%
Total number of Nodes:	1564
Total number of Limit Nodes:	47

Executed Functions

Function 00DBF730 Relevance: 110.7, APIs: 6, Strings: 56, Instructions: 2202COMMON

Download Yara Rule

APIs

SHGetFolderPathA.SHELL32(00000000,00000000,00000000,00000000,?), ref: 00DC02CB
SHGetFolderPathA.SHELL32(00000000,00000005,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00DC05C7
SHGetFolderPathA.SHELL32(00000000,00000028,00000000,00000000,?), ref: 00DC08C5
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00DC0C25
SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 00DC0F53
SHGetFolderPathA.SHELL32(00000000,00000008,00000000,00000000,?), ref: 00DC1257

Strings

v<Ea, xrefs: 00DC2BE8
v<Ea, xrefs: 00DC0EA8
v<Ea, xrefs: 00DC23D3
v<Ea, xrefs: 00DC17CE
v<Ea, xrefs: 00DC162F
S<Ea, xrefs: 00DC0343
v<Ea, xrefs: 00DC2817
v<Ea, xrefs: 00DC081A
v<Ea, xrefs: 00DC2310
v<Ea, xrefs: 00DC241F
v<Ea, xrefs: 00DC312C
v<Ea, xrefs: 00DC021B
v<Ea, xrefs: 00DC167B
v<Ea, xrefs: 00DBFE93
cannot get value, xrefs: 00DC1F7E, 00DC20B8
v<Ea, xrefs: 00DBFB4F
v<Ea, xrefs: 00DC2B9C
v<Ea, xrefs: 00DC2963
v<Ea, xrefs: 00DC098B
v<Ea, xrefs: 00DC29AF
type must be string, but is , xrefs: 00DC207B
S<Ea, xrefs: 00DC0CA1
v<Ea, xrefs: 00DC0CED
v<Ea, xrefs: 00DBFA6D
v<Ea, xrefs: 00DC11B2
S<Ea, xrefs: 00DC01CF
v<Ea, xrefs: 00DBFE47
0u$, xrefs: 00DC093F
v<Ea, xrefs: 00DC181A
v<Ea, xrefs: 00DC12CF
v<Ea, xrefs: 00DC101B
"o`a, xrefs: 00DC04D6
v<Ea, xrefs: 00DC27CB
v<Ea, xrefs: 00DBF8A3
v<Ea, xrefs: 00DC1166
v<Ea, xrefs: 00DC1A2B
v<Ea, xrefs: 00DC30E0
v<Ea, xrefs: 00DC191C
v<Ea, xrefs: 00DBF988
0u$, xrefs: 00DC07CE
h, xrefs: 00DC2196
type must be boolean, but is , xrefs: 00DC2027
v<Ea, xrefs: 00DC0522
v<Ea, xrefs: 00DC068B
v<Ea, xrefs: 00DC22BE
v<Ea, xrefs: 00DC151C
S<Ea, xrefs: 00DC0B2D
v<Ea, xrefs: 00DBFD3C
v<Ea, xrefs: 00DC19DF
v<Ea, xrefs: 00DC131B
v<Ea, xrefs: 00DC1568
v<Ea, xrefs: 00DC18D0
cannot compare iterators of different containers, xrefs: 00DC1FBD
"o`a, xrefs: 00DC063F
v<Ea, xrefs: 00DC038F
v<Ea, xrefs: 00DC0B79

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: FolderPath
String ID: "o`a$"o`a$0u$$0u$$S<Ea$S<Ea$S<Ea$S<Ea$cannot compare iterators of different containers$cannot get value$type must be boolean, but is $type must be string, but is $v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$h
API String ID: 1514166925-3376240126
Opcode ID: 5fc9551b835afc73cf18743851d0f8547d2ab1edfbd27ed7c33d2ef966693cd3
Instruction ID: 7b37bc696a179c0e3c40b179111538f899eecc3b739e5a0178b5d163f77c571c
Opcode Fuzzy Hash: 5fc9551b835afc73cf18743851d0f8547d2ab1edfbd27ed7c33d2ef966693cd3
Instruction Fuzzy Hash: 2C4301B4D042698BDB25CF28C894BEDBBB5AF49304F1482D9D859B7241EB706F84CF61

Uniqueness

Uniqueness Score: -1.00%

Function 00D4B8E0 Relevance: 86.4, APIs: 27, Strings: 19, Instructions: 5868COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D4BA08
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D4BAD2
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00D4BB07
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D4BD08
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00D4BD37
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D4C0CC
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D4C196
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D4C575
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D4D29A
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D4D6F8
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D4DAD7
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D4DF3C
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D4E6FA
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00D4EEEA
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D4F45B
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D4F525
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D4F933
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D4FC55
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D4FEF1
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00D501ED
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00D50580
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00D5088D
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 00D50B14
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D50F12
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D51904
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D51E6E
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D51FBE

Strings

v<Ea, xrefs: 00D4E414
v<Ea, xrefs: 00D5127C
v<Ea, xrefs: 00D4E244
v<Ea, xrefs: 00D512C8
v<Ea, xrefs: 00D51016
v<Ea, xrefs: 00D514EC
v<Ea, xrefs: 00D4E34C
v<Ea, xrefs: 00D52177
t=, xrefs: 00D4C015
v<Ea, xrefs: 00D514A0
t=, xrefs: 00D4B951
v<Ea, xrefs: 00D51390
v<Ea, xrefs: 00D4E1F8
t=, xrefs: 00D4F3A4
v<Ea, xrefs: 00D4E300
v<Ea, xrefs: 00D515AE
t=, xrefs: 00D51DB7
v<Ea, xrefs: 00D513DC
v<Ea, xrefs: 00D4E040

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: CreateDirectory$FolderPath
String ID: t=$t=$t=$t=$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
API String ID: 2162323195-2764410338
Opcode ID: d03df4f8d2237f0c9a49c5d9164e39267704da0de3a0be9a6433cdf42d498535
Instruction ID: faa4b6a80335c20bfefcb8ec4c1eca808504c34c4a3a30da45d284f08ba16256
Opcode Fuzzy Hash: d03df4f8d2237f0c9a49c5d9164e39267704da0de3a0be9a6433cdf42d498535
Instruction Fuzzy Hash: 6AF3D0B4D0426D8BDF15CFA8D981AEEBBB0BF08300F144199D959B7341EB742A85CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00E04EB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

recv.WS2_32(FFF48220,00000004,00000002,00EFFE9C,0105EF55,00FCD475,01070440,010B5C68,00F580AD,?,00FC0350,01071D86,00FCCC2E,00ECDC6F,?,C406F2A0), ref: 00E04F71
recv.WS2_32(?,0000000C,00000002,?,00000000,?,00002710,00000000,?,00FC0350,01071D86,00FCCC2E,00ECDC6F,?,C406F2A0,00F1882A), ref: 00E04FF3
recv.WS2_32(00000000,0000000C,00000008), ref: 00E05014

Part of subcall function 00E05940: closesocket.WS2_32(?,00F5A93B,E3A3352D), ref: 00E05A2D

recv.WS2_32(00000000,?,00000008,?), ref: 00E050CB
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000,?,00FC0350,01071D86,00FCCC2E,00ECDC6F,?,C406F2A0,00F1882A,010E51DB,010A9EB9,01096461), ref: 00E05261
Sleep.KERNELBASE(00000064,?,00002710,00000000,?,00FC0350,01071D86,00FCCC2E,00ECDC6F,?,C406F2A0,00F1882A,010E51DB,010A9EB9,01096461,010A9EE4), ref: 00E05269

Strings

(c, xrefs: 00E04F05

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: recv$Sleep$closesocket
String ID: (c
API String ID: 565120283-1781735918
Opcode ID: 8c61c63b90d76b4673418b145e891eaf0409a676bfe82c54d73fbca7e321b9e1
Instruction ID: e09cd47d97faa9673e508fb683d0ae7fc5321c9bb888994a0028be555ff452f0
Opcode Fuzzy Hash: 8c61c63b90d76b4673418b145e891eaf0409a676bfe82c54d73fbca7e321b9e1
Instruction Fuzzy Hash: C191AAB1D00308DFEB10DBA4CC49BAEBBB5AB44314F244229E544BB2E2D7B15D89DF91

Uniqueness

Uniqueness Score: -1.00%

Function 00DA3650 Relevance: 110.9, APIs: 3, Strings: 59, Instructions: 2365COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000), ref: 00DA5AD0
CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 00DA5CE6
CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 00DA5DF5

Strings

v<Ea, xrefs: 00DA501F
v<Ea, xrefs: 00DA52FF
v<Ea, xrefs: 00DA5750
v<Ea, xrefs: 00DA4EE2
v<Ea, xrefs: 00DA45E4
v<Ea, xrefs: 00DA3A9B
v<Ea, xrefs: 00DA5F88
v<Ea, xrefs: 00DA62E7
v<Ea, xrefs: 00DA5F16
v<Ea, xrefs: 00DA4500
v<Ea, xrefs: 00DA546D
xc, xrefs: 00DA385D
v<Ea, xrefs: 00DA400A
v<Ea, xrefs: 00DA4362
v<Ea, xrefs: 00DA3990
v<Ea, xrefs: 00DA5D48
v<Ea, xrefs: 00DA4D19
v<Ea, xrefs: 00DA42EA
v<Ea, xrefs: 00DA6033
v<Ea, xrefs: 00DA635F
v<Ea, xrefs: 00DA56EB
v<Ea, xrefs: 00DA55F5
v<Ea, xrefs: 00DA509A
v<Ea, xrefs: 00DA5674
v<Ea, xrefs: 00DA426F
v<Ea, xrefs: 00DA3F8F
xc, xrefs: 00DA3844
v<Ea, xrefs: 00DA465B
v<Ea, xrefs: 00DA615D
t=, xrefs: 00DA37DE
v<Ea, xrefs: 00DA43DD
v<Ea, xrefs: 00DA4CA7
v<Ea, xrefs: 00DA5519
v<Ea, xrefs: 00DA5112
t=, xrefs: 00DA6732
v<Ea, xrefs: 00DA40FD
v<Ea, xrefs: 00DA53F2
v<Ea, xrefs: 00DA3E4D
v<Ea, xrefs: 00DA3C78
v<Ea, xrefs: 00DA4565
v<Ea, xrefs: 00DA4A30
v<Ea, xrefs: 00DA518D
v<Ea, xrefs: 00DA3741
v<Ea, xrefs: 00DA67E8
v<Ea, xrefs: 00DA3D23
v<Ea, xrefs: 00DA5590
v<Ea, xrefs: 00DA5C36
v<Ea, xrefs: 00DA537A
v<Ea, xrefs: 00DA4DBE
v<Ea, xrefs: 00DA4B38
v<Ea, xrefs: 00DA663D
v<Ea, xrefs: 00DA4489
v<Ea, xrefs: 00DA64A0
t=, xrefs: 00DA5A79
v<Ea, xrefs: 00DA63DA
v<Ea, xrefs: 00DA626C
v<Ea, xrefs: 00DA4082
v<Ea, xrefs: 00DA46C0
v<Ea, xrefs: 00DA3C06

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: CreateDirectory
String ID: t=$t=$t=$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$xc$xc
API String ID: 4241100979-469025951
Opcode ID: 28687f63b334ca07755f101d5db21b43b8dbae01e34ed060737b8a4280fc7844
Instruction ID: 51ce93340fb6da465aae3d54400f80ff275059aa79b32879f7bccc61bddb19a5
Opcode Fuzzy Hash: 28687f63b334ca07755f101d5db21b43b8dbae01e34ed060737b8a4280fc7844
Instruction Fuzzy Hash: B453CEB0D152688FDB65DF24C895BDDBBB0AB49300F4041EAE849B7251EB706F88CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00D9E090 Relevance: 49.8, APIs: 10, Strings: 18, Instructions: 832
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00D4B8E0: CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D4BA08

CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D9E192
CreateDirectoryA.KERNEL32(?,00000000,?,-0000004C), ref: 00D9E322
CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,-0000004C), ref: 00D9E415
CreateDirectoryA.KERNEL32(?,00000000), ref: 00D9E50B
CreateDirectoryA.KERNEL32(?,00000000,00000000), ref: 00D9E757
CreateDirectoryA.KERNELBASE(?,00000000), ref: 00D9E8D5
CreateDirectoryA.KERNEL32(?,00000000,?,-0000004C), ref: 00D9EA65
CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,-0000004C), ref: 00D9EB58
CreateDirectoryA.KERNEL32(?,00000000), ref: 00D9EC4E
CreateDirectoryA.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,-0000004C), ref: 00D9EEA6

Strings

v<Ea, xrefs: 00D9ED12
v<Ea, xrefs: 00D9E869
v<Ea, xrefs: 00D9ED77
v<Ea, xrefs: 00D9EB9B
v<Ea, xrefs: 00D9E61C
v<Ea, xrefs: 00D9E358
t=, xrefs: 00D9E158
4<Ea, xrefs: 00D9E561
v<Ea, xrefs: 00D9EA9B
4<Ea, xrefs: 00D9ECA4
v<Ea, xrefs: 00D9E5C3
v<Ea, xrefs: 00D9E9C4
v<Ea, xrefs: 00D9E458
t=, xrefs: 00D9E8A1
v<Ea, xrefs: 00D9E281
v<Ea, xrefs: 00D9E120
v<Ea, xrefs: 00D9E691
v<Ea, xrefs: 00D9EDEC

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: CreateDirectory
String ID: 4<Ea$4<Ea$t=$t=$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea
API String ID: 4241100979-1198608692
Opcode ID: 1ba00efdfdee86973f03160be3f84020cd5f77729ea39c4e79072422ba17d9d7
Instruction ID: 14fdf2cd01433fc56341aebce12f9e62fc29be5e8dfedd1bd5c17c0f38845ac6
Opcode Fuzzy Hash: 1ba00efdfdee86973f03160be3f84020cd5f77729ea39c4e79072422ba17d9d7
Instruction Fuzzy Hash: 0D9203B0D012A88BDF25DB64CC95BDDBBB4AB14304F4441E9E849B7252EB705F89CF62

Uniqueness

Uniqueness Score: -1.00%

Function 00E1C3E0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?), ref: 00E1C44A

Strings

v<Ea, xrefs: 00E1C4A7

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: FolderPath
String ID: v<Ea
API String ID: 1514166925-4124759590
Opcode ID: 748f4217436d9d14d0885de20eda801982a36be16b628dab5ec5a573364c52b3
Instruction ID: ff25126511d0f12c1391e517511b5c8854582b24d808d33dab20282706d4502b
Opcode Fuzzy Hash: 748f4217436d9d14d0885de20eda801982a36be16b628dab5ec5a573364c52b3
Instruction Fuzzy Hash: F77135B0C043489BEB15CF68C985BEDBBB4AF19314F244299E8197B292D7715A84CF60

Uniqueness

Uniqueness Score: -1.00%

Function 00E249F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 125
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 00E24B5C

Strings

v<Ea, xrefs: 00E24AB2

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: __fread_nolock
String ID: v<Ea
API String ID: 2638373210-4124759590
Opcode ID: 95e15311f54d418f7e32c08c5c413220734704568eae8fa757eaaae2c6ea2257
Instruction ID: 4fcba6fd586c1e4bc37a2eaf5e0c908e56a7081035ddb8b85e49f4f1a57f3aad
Opcode Fuzzy Hash: 95e15311f54d418f7e32c08c5c413220734704568eae8fa757eaaae2c6ea2257
Instruction Fuzzy Hash: F3515DB1D003499BDB10DF98D986BAEFBB4EF44714F10421DE855BB381E7716A44CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00F24566 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(?,E4B95E0E,?,C4829C9C,531F3023,010E0430,?,?,?,?,?,010AF67E), ref: 01085DE2

Strings

5, xrefs: 00F592F4

Memory Dump Source

Source File: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: LoadString
String ID: 5
API String ID: 2948472770-2226203566
Opcode ID: 6d1371f9aae0053a7762251ceea2a6387f36777a8103d6c12ec88a49cff4b465
Instruction ID: e85a56db8d9fe79a2ac79268e80844a0cb5423c8a3c38e9ae3f9cdab370e5675
Opcode Fuzzy Hash: 6d1371f9aae0053a7762251ceea2a6387f36777a8103d6c12ec88a49cff4b465
Instruction Fuzzy Hash: 87F0F62240C746EBCB24FF656C096DE7A9CAFD0710F10891DF2E115051DA788209DA63

Uniqueness

Uniqueness Score: -1.00%

Function 00E05940 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

closesocket.WS2_32(?,00F5A93B,E3A3352D), ref: 00E05A2D

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: b12bcb3b9843980f62d439291fc40a883d445bf3b1b913be41aa3f0f117edeb2
Instruction ID: b2da2c07b759e680f2db9aafd7c9349ca4ac1bfbdfc3ef1e6efd910faf7082ed
Opcode Fuzzy Hash: b12bcb3b9843980f62d439291fc40a883d445bf3b1b913be41aa3f0f117edeb2
Instruction Fuzzy Hash: 303107726047006BC7209F648C84B6BBBE9FFC5378F101B1AF9A5A61D1D33598448AA2

Uniqueness

Uniqueness Score: -1.00%

Function 0107B7A4 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

closesocket.WS2_32(?,00F5A93B,E3A3352D), ref: 00E05A2D

Memory Dump Source

Source File: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: closesocket
String ID:
API String ID: 2781271927-0
Opcode ID: 8b4be38590614ef5541bfc60a4b7fd69d75c487f8a13129caebaccff7750a3c0
Instruction ID: bb11448e24cc9faf594875e3ded3b55476807b93759e64c8be072e060b700436
Opcode Fuzzy Hash: 8b4be38590614ef5541bfc60a4b7fd69d75c487f8a13129caebaccff7750a3c0
Instruction Fuzzy Hash: 8311EF376087416BCA219FB9984485FBBA0EFC5334F045B4DF6F9521E0C33594569BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00FBAE7C Relevance: 1.5, APIs: 1, Instructions: 22
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE ref: 00FBAE99

Memory Dump Source

Source File: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 4c38e938d1fd9ca1c89a070fbc9c3f9c5d40a024b1d00618d50274a39289acb1
Instruction ID: a0747b5b66b354690fa0ea88dd3df847878416e3f7dd81e9146750b1090d3ab5
Opcode Fuzzy Hash: 4c38e938d1fd9ca1c89a070fbc9c3f9c5d40a024b1d00618d50274a39289acb1
Instruction Fuzzy Hash: 6AE0E53100D38A5F8A11DF644D0000AFFE1ABC7668F445A5CE6F8137A2D72A5A26DB53

Uniqueness

Uniqueness Score: -1.00%

Function 01085DC3 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(?,E4B95E0E,?,C4829C9C,531F3023,010E0430,?,?,?,?,?,010AF67E), ref: 01085DE2

Memory Dump Source

Source File: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 01748fd0cfd6b706dfc2f51c24317737ba5701f24cbfb056f6967bb4b15448e2
Instruction ID: f0e97f7ad49d2592886fa6b379e8c682361a871a2a3ba32458e32d4e08acf4ea
Opcode Fuzzy Hash: 01748fd0cfd6b706dfc2f51c24317737ba5701f24cbfb056f6967bb4b15448e2
Instruction Fuzzy Hash: A4C08C3A2882199E8A10FAA689C12CCB7A8EE883503280011CC15452075AAA424C6E30

Uniqueness

Uniqueness Score: -1.00%

Function 00F0B30B Relevance: 1.3, APIs: 1, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00F6BDCC

Memory Dump Source

Source File: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4167861a844905d25c67d15788981aeef172d28071974caf66103368e9536e53
Instruction ID: 8088c007e60efbd16134ed207161afc9bf9c9e29d2d7b0bee007344527ea4b6e
Opcode Fuzzy Hash: 4167861a844905d25c67d15788981aeef172d28071974caf66103368e9536e53
Instruction Fuzzy Hash: B101AD32018385DBC708AB20E99219BF3B1FFC5300F51C60CA8994A251EB39D61AEE46

Uniqueness

Uniqueness Score: -1.00%

Function 00D8B00C Relevance: 1.3, APIs: 1, Instructions: 23COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000000,BAC0E305,?,00D90A5B,00000000,?,?,?,00F18F0F), ref: 00D8B02D

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 501e5b7462ac6d3ad6c874e2871065a7a84f2b12b8c1e3ea0f67a82fde4281ce
Instruction ID: c2826ff3e96164f7eec44132247535eaed52af29b55be42f7aa18ac73c98a65e
Opcode Fuzzy Hash: 501e5b7462ac6d3ad6c874e2871065a7a84f2b12b8c1e3ea0f67a82fde4281ce
Instruction Fuzzy Hash: 0FE086321002046ACB213BE5DC0AF9E365DAB44358F184026F60CAA050DA38885587B4

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00DC2100 Relevance: 31.2, APIs: 2, Strings: 15, Instructions: 1487COMMON

Download Yara Rule

Strings

v<Ea, xrefs: 00DC27CB
v<Ea, xrefs: 00DC2963
v<Ea, xrefs: 00DC29AF
v<Ea, xrefs: 00DC2BE8
v<Ea, xrefs: 00DC23D3
v<Ea, xrefs: 00DC30E0
v<Ea, xrefs: 00DC3435
v<Ea, xrefs: 00DC2817
v<Ea, xrefs: 00DC2310
v<Ea, xrefs: 00DC241F
v<Ea, xrefs: 00DC312C
v<Ea, xrefs: 00DC33E9
v<Ea, xrefs: 00DC22BE
h, xrefs: 00DC3819
v<Ea, xrefs: 00DC2B9C

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$v<Ea$h
API String ID: 0-2874662520
Opcode ID: 45db5f523c44dc99240d96f2ca1022e0ed9076c0ffc6bbadd5a43aae725f4450
Instruction ID: 87db25c9f65aa662373620fb81b1e2ebaf2e46864cc25e476c35d94a4329c973
Opcode Fuzzy Hash: 45db5f523c44dc99240d96f2ca1022e0ed9076c0ffc6bbadd5a43aae725f4450
Instruction Fuzzy Hash: 8CE26871D002598BDF25CF68C884BEDBBB5AF45304F1882D9D859A7282DB709F85CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D7C950 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
Instruction ID: a29f690bcaca67f056298a9482799facc2e3c91ccf15f9386cc77535520b3d3d
Opcode Fuzzy Hash: d832fe2a0f42001a57c9b2c34ab75cd1b9a187cae735d2738bff895b2773b599
Instruction Fuzzy Hash: C1021E71E112199FDF14CFA9D9806AEBBF1FF48314F24826ED919E7341E731A9418BA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D7360D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 28timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,?,FFF48234,00E051DF,?,00FC0350,01071D86,00FCCC2E,00ECDC6F,?,C406F2A0,00F1882A,010E51DB,010A9EB9,01096461,010A9EE4), ref: 00D73645

Strings

@T, xrefs: 00D7360D

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: Time$FilePreciseSystem
String ID: @T
API String ID: 1802150274-2327893073
Opcode ID: 2f846292eaf79c2844f7670424f851838650dc278b9fbca37c5b13e098dd30b4
Instruction ID: 138c239d5c758f7049ea6735f085e48506475de1b0f8cf6d95937ca72c28bbbc
Opcode Fuzzy Hash: 2f846292eaf79c2844f7670424f851838650dc278b9fbca37c5b13e098dd30b4
Instruction Fuzzy Hash: FAF0E532904664FFCB019F55EC01F5DB7A9FB08F10F00412BE812E7390EB75AA049B94

Uniqueness

Uniqueness Score: -1.00%

Function 010C65C2 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

;, xrefs: 010C65E4

Memory Dump Source

Source File: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID: ;
API String ID: 0-1661535913
Opcode ID: 4069c2688b67213199c505cee89abef894647ac3e70f2241529f2029a76be8da
Instruction ID: 298160c476b942e42185f0b32646cd21bcfbed5db21af61b8717f6e4ca019a14
Opcode Fuzzy Hash: 4069c2688b67213199c505cee89abef894647ac3e70f2241529f2029a76be8da
Instruction Fuzzy Hash: 3C710E328083928BCB26DF78C9115E97BE0EF56320B584BCED5E19B6D3D721D41ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 00E2BFC0 Relevance: .8, Instructions: 763COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 344867bfe0e8b66f05c456c8bfce0b196e4b8bcae2c3832abbab97c6739a1182
Instruction ID: b6cf9d96bfc20ab0aa9a2010eacda59909b713b6973a0b13532617d8071be1a2
Opcode Fuzzy Hash: 344867bfe0e8b66f05c456c8bfce0b196e4b8bcae2c3832abbab97c6739a1182
Instruction Fuzzy Hash: 603273B3F5161447DF1CCA6ECC922EDB2E36FD821871E813DE80AE3345EA79E9454684

Uniqueness

Uniqueness Score: -1.00%

Function 00D6F570 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43febc7b0bf3877219e61b63db087e8b6d0d2a333138d20111f5827b5a0595c
Instruction ID: 6a4e0e107ba8105cfb6112006bde6e281a89dd965d1e3aaaa5e46f4ae046308d
Opcode Fuzzy Hash: b43febc7b0bf3877219e61b63db087e8b6d0d2a333138d20111f5827b5a0595c
Instruction Fuzzy Hash: 42E11272E1062A9FCB04CFA8D8816ADFBF1FF88310F1942A9D855B7340D670AD45CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 00D98BA0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a0bcf053e6a89a7142f8357c1290d055c8c3e1165d79544d4cf429a3eb281ef
Instruction ID: d06a31e670531378267a9b6976b7552a8e3f59cc13bce828388382892fa60ede
Opcode Fuzzy Hash: 3a0bcf053e6a89a7142f8357c1290d055c8c3e1165d79544d4cf429a3eb281ef
Instruction Fuzzy Hash: 7081F4B1D042858FDF148F69D8917BEFBB4EF1A700F080169D855A7392CB35990AE7B0

Uniqueness

Uniqueness Score: -1.00%

Function 00D7A918 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
Instruction ID: e82288cbee3b8fa683e07d6170c2aed11ee6c758bf4568b6d25aa0e10f44e11c
Opcode Fuzzy Hash: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
Instruction Fuzzy Hash: 23517F72D0011AAFDF14CF98C941AEEBBB2FF88300F598459E559AB241D734AA50DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 00ED72CE Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e38d3ac4c14042e1fb0d597efa3256b1306566ce419722b980a0dfe1973c8d79
Instruction ID: b8259f9aed4a0b88be4a2e152374b474e6193cd6149e97bf55282e6af6b750c3
Opcode Fuzzy Hash: e38d3ac4c14042e1fb0d597efa3256b1306566ce419722b980a0dfe1973c8d79
Instruction Fuzzy Hash: 9D210A22B10A214BE710957ACCF16D3B3D2A79F370F68D7348294C77E9E63D400D9690

Uniqueness

Uniqueness Score: -1.00%

Function 010D757B Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73dcd3f5aade5c6b4bf5e730f1c0417f2ff6fe7f6b9d4e667f7f1a09a953fcfd
Instruction ID: 11f2bff0b21cbbbcb50caad2dcdf3d9b524f2c36911c5ff5c795b7d207324bad
Opcode Fuzzy Hash: 73dcd3f5aade5c6b4bf5e730f1c0417f2ff6fe7f6b9d4e667f7f1a09a953fcfd
Instruction Fuzzy Hash: 2521DB7194C7098FC310EF28D88548FB3F2BBC4B14F50CA6CE98857699D37AA941DB82

Uniqueness

Uniqueness Score: -1.00%

Function 0118654D Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c97a69aa0f0da26ff96770a8cd51e1116593f89f0aa953e7f9a33927fa29aa9
Instruction ID: 51410c4811f0b3dcdb93202a6ad4f4d06f7389c2b85d9fcc220a93e021626836
Opcode Fuzzy Hash: 8c97a69aa0f0da26ff96770a8cd51e1116593f89f0aa953e7f9a33927fa29aa9
Instruction Fuzzy Hash: 5FD05E715C8312AFCA01DF44F680C8BB7A6ABCC328FA9895C948C03110C332B520CE93

Uniqueness

Uniqueness Score: -1.00%

Function 00D772C0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D772F7
___except_validate_context_record.LIBVCRUNTIME ref: 00D772FF
_ValidateLocalCookies.LIBCMT ref: 00D77388
__IsNonwritableInCurrentImage.LIBCMT ref: 00D773B3
_ValidateLocalCookies.LIBCMT ref: 00D77408

Strings

csm, xrefs: 00D7739D

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 72f862ac741878b4d042495b6cf6512e258522b5b83c8c9c4929d9afcb748edb
Instruction ID: f324a42258eca5c1f49e2bcca3de0365bf637fed0e1ab40762f6ac279c50e9e7
Opcode Fuzzy Hash: 72f862ac741878b4d042495b6cf6512e258522b5b83c8c9c4929d9afcb748edb
Instruction Fuzzy Hash: 2D41C430A042199FCF10DF68C885A9E7BA5EF44318F18C556EC2CAB352E771E915DBB1

Uniqueness

Uniqueness Score: -1.00%

Function 00D5D260 Relevance: 9.1, APIs: 6, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D5D28A
std::_Lockit::_Lockit.LIBCPMT ref: 00D5D2AC
std::_Lockit::~_Lockit.LIBCPMT ref: 00D5D2D4
__Getcoll.LIBCPMT ref: 00D5D39F
std::_Facet_Register.LIBCPMT ref: 00D5D3E4
std::_Lockit::~_Lockit.LIBCPMT ref: 00D5D40E

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetcollRegister
String ID:
API String ID: 1184649410-0
Opcode ID: 3e27ce9f8d6ced18842059778af4a836192d96eab98661cca4484f7a3e7fcb4c
Instruction ID: 6e6e919d11018ddf6a4f906b508ee3b7aea450ef42f1d7ed31e33e8307575be2
Opcode Fuzzy Hash: 3e27ce9f8d6ced18842059778af4a836192d96eab98661cca4484f7a3e7fcb4c
Instruction Fuzzy Hash: DF519B71C01248DFDF11DF99C945BAEBBB4EF40714F248059E8196B381D775AA0ACBB2

Uniqueness

Uniqueness Score: -1.00%

Function 00EDED60 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59COMMONLIBRARYCODE

Download Yara Rule

APIs

TlsGetValue.KERNEL32(?,?,00EE5EAE,00000000), ref: 00EDED72
TlsGetValue.KERNEL32(00000005), ref: 00EDED89

Strings

EncodePointer, xrefs: 00EDEDB4
KERNEL32.DLL, xrefs: 00EDED99, 00EDED9E, 00EDEDA9

Memory Dump Source

Source File: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: Value
String ID: EncodePointer$KERNEL32.DLL
API String ID: 3702945584-3682587211
Opcode ID: 8e0e5e303037f169ffdf33d791c0298003c5eabea9c11cdb9880677055f866c2
Instruction ID: c88c27855044a0bd48e1b5311b0cea5b17459a1fb55f22b40874782d1de6903e
Opcode Fuzzy Hash: 8e0e5e303037f169ffdf33d791c0298003c5eabea9c11cdb9880677055f866c2
Instruction Fuzzy Hash: 89112930100696AACB11BB75EC0999A3FDACF013647141152F908FF3E2DF35C9028691

Uniqueness

Uniqueness Score: -1.00%

Function 00EE3F3E Relevance: 7.7, APIs: 5, Instructions: 175COMMONLIBRARYCODE

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00EE3FC0
MultiByteToWideChar.KERNEL32(?,00000001,?,00EE2ED4,00000000,00000000,?,00EE2ED4,00000001,?,?,?,?,?,?,?), ref: 00EE4000
_memset.LIBCMT ref: 00EE4038
MultiByteToWideChar.KERNEL32(?,00000001,?,00EE2ED4,?,00000000,?,?,?,?,?,?,?,00EE2ED4,00000001,?), ref: 00EE404F
__freea.LIBCMT ref: 00EE40D7

Memory Dump Source

Source File: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: ByteCharMultiWide$__freea_memset_strlen
String ID:
API String ID: 2205602819-0
Opcode ID: 21f88bc2b8c86b2c95e2369d11aa399adec386341e0e917beb5485bf68499b6c
Instruction ID: a2af1c2e1c83f3311a204cbb0ef0ca21dd4c60835fa89c8debdeeb2e76c2e299
Opcode Fuzzy Hash: 21f88bc2b8c86b2c95e2369d11aa399adec386341e0e917beb5485bf68499b6c
Instruction Fuzzy Hash: D8519A71D0019DAFCF219FA6DC44DEEBBB9EF89324F201125FA14B2290D7318951CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D5C430 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D5C45A
std::_Lockit::_Lockit.LIBCPMT ref: 00D5C47C
std::_Lockit::~_Lockit.LIBCPMT ref: 00D5C4A4
std::_Facet_Register.LIBCPMT ref: 00D5C59A
std::_Lockit::~_Lockit.LIBCPMT ref: 00D5C5C4

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: a31b0c97b305d68fc356b8ad9c980c16ee8f9e8fce196204e1b7a28094df61fd
Instruction ID: cdcc9e66d8280e5cd2c43e22c75bfb0f7cb5aaf2343eb01d289509588fbf64d0
Opcode Fuzzy Hash: a31b0c97b305d68fc356b8ad9c980c16ee8f9e8fce196204e1b7a28094df61fd
Instruction Fuzzy Hash: BD519D71900254DFDF11DF98C845BAEBBF0FB50314F288159E8456B381E775AA49CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00EE2CEA Relevance: 6.2, APIs: 4, Instructions: 167COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,00001006,00001004,?,?,?,?,00EE2ED4,00000001,?,?), ref: 00EE2D90
_memset.LIBCMT ref: 00EE2DE5
MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,00000000,00000000,?,?,?,?,00000001,?), ref: 00EE2DFA
__freea.LIBCMT ref: 00EE2E12

Part of subcall function 00EE3F3E: _strlen.LIBCMT ref: 00EE3FC0
Part of subcall function 00EE3F3E: _memset.LIBCMT ref: 00EE4038
Part of subcall function 00EE3F3E: MultiByteToWideChar.KERNEL32(?,00000001,?,00EE2ED4,?,00000000,?,?,?,?,?,?,?,00EE2ED4,00000001,?), ref: 00EE404F

Memory Dump Source

Source File: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: ByteCharMultiWide$_memset$__freea_strlen
String ID:
API String ID: 1758600711-0
Opcode ID: b5440c92b7b27f0295343e15a101981d7e25f7df1fe2cc57ffd4419e47dbfc4e
Instruction ID: b82c05838b073ccf4ceb1d60039732423ea73d6c51ad4272707b4059f17e6e73
Opcode Fuzzy Hash: b5440c92b7b27f0295343e15a101981d7e25f7df1fe2cc57ffd4419e47dbfc4e
Instruction Fuzzy Hash: 48519D7290019EAFCF119F66DC819AE3BADEF18358B14542AFB05E7261D730CDA1DB90

Uniqueness

Uniqueness Score: -1.00%

Function 00D47350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00D4750C
___std_exception_destroy.LIBVCRUNTIME ref: 00D47522

Strings

[json.exception., xrefs: 00D473A1

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 01c4f8d568238f4b6e076e7ab2d4950f31fd26af09e429dc1499d21c55d498bd
Instruction ID: d7b70128c244c29319c35da216a5e730fe0252bebb165652607f748b47bc4b5a
Opcode Fuzzy Hash: 01c4f8d568238f4b6e076e7ab2d4950f31fd26af09e429dc1499d21c55d498bd
Instruction Fuzzy Hash: C451D1B0D04348DFDB00DFA8C905BAEBBB4EF15314F148269E855AB282E7B55A44D7F2

Uniqueness

Uniqueness Score: -1.00%

Function 00D44040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00D44061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00D440C4

Strings

bad locale name, xrefs: 00D440E6

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 812aaf6885fa03a11a1f49d82a5dfa778e04cfe29d8b9ca78d5f8e43bde2e590
Instruction ID: f9adde627e89b1942ce924c8a38865be1e5759131e5bb122877ab321961d357c
Opcode Fuzzy Hash: 812aaf6885fa03a11a1f49d82a5dfa778e04cfe29d8b9ca78d5f8e43bde2e590
Instruction Fuzzy Hash: 9311B170805BC4DED321CF68C50474BBFE4EF15714F14868DD49997B81D3B6AA04CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00D83623 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00D8366A

Strings

CorExitProcess, xrefs: 00D83662
mscoree.dll, xrefs: 00D83651

Memory Dump Source

Source File: 00000000.00000002.1897564246.0000000000D41000.00000020.00000001.01000000.00000003.sdmp, Offset: 00D40000, based on PE: true

Associated: 00000000.00000002.1897541296.0000000000D40000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897658096.0000000000E9A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897681310.0000000000EC2000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897700711.0000000000EC7000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897723409.0000000000EEF000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897738079.0000000000EF5000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897953657.0000000001188000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1897973885.0000000001189000.00000020.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1898318084.0000000001554000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d40000_file.jbxd

Similarity

API ID: AddressProc
String ID: CorExitProcess$mscoree.dll
API String ID: 190572456-1276376045
Opcode ID: 28d319f610acb8e62843e3694bafa25ef6c6ca643a418234944ebe5825e10960
Instruction ID: be14599f01a7597c31283bc6772288bf6ba4c7db9545ae0415a786ddf6f6558f
Opcode Fuzzy Hash: 28d319f610acb8e62843e3694bafa25ef6c6ca643a418234944ebe5825e10960
Instruction Fuzzy Hash: A1019631540759EFDB11AB58DC06BBEB7B8FB04B14F144629A815A22D0DB759A04CB94

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.Unlike Keylogging , this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:
Tactics:	Collection, Credential Access
Data Sources:	Process: OS API Execution, Process: Process Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_file.exe_ff31866d17fa18c7913366427148ad386_8682c2da_5ca5d425-8a52-4555-bdfc-fbe386d59aef\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE007.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE0F3.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERE113.tmp.xml

C:\Users\user\AppData\Local\Temp\gaUkmAzGb_el0KBPcRFr18l.zip

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\02zdBXl47cvzcookies.sqlite

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\1WonyWgTlWBJWeb Data

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\3b6N2Xdh3CYwplaces.sqlite

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\D87fZN3R3jFeplaces.sqlite

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\GQbFHuRC5t7nLogin Data

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\LJ0Ouc26bvKFWeb Data

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\OGqN14Hqc_tTHistory

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\RrlgkTLYOV84Cookies

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\Rxxkzr6lX3hbHistory

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\ThP4m_kOyXD9Login Data

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\UgGJ3iGDvYBdLogin Data For Account

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\e5Yph_sHMcOsHistory

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\l4mPY5f2P8ThHistory

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\nCO5UlAAWThWWeb Data

C:\Users\user\AppData\Local\Temp\spanKRfwTJj1oH7F\nG2tiL1Y5ubwWeb Data

Windows Analysis Report
file.exe

Function 00E04EB0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 240
networksleepCOMMON

Function 00D9E090 Relevance: 49.8, APIs: 10, Strings: 18, Instructions: 832
COMMON

Function 00E1C3E0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 170
COMMON

Function 00E249F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 125
COMMON

Function 00F24566 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32
COMMON

Function 00E05940 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Function 0107B7A4 Relevance: 1.6, APIs: 1, Instructions: 59
COMMON

Function 00FBAE7C Relevance: 1.5, APIs: 1, Instructions: 22
injectionCOMMON

Function 01085DC3 Relevance: 1.5, APIs: 1, Instructions: 10
COMMON

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre