Edit tour

Windows Analysis Report
rise2406.exe

Overview

General Information

Sample name:	rise2406.exe
Analysis ID:	1462857
MD5:	c6c9f27d335d4e47b5ea12653e806be6
SHA1:	e53242d463e2c94383ec646e7e04504b96b4d176
SHA256:	514efbae5faa43878c743c3db36f81c25ab5d6da93b879b6e88e7a63b1b19769
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

AI detected suspicious sample

Allocates memory in foreign processes

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Found API chain indicative of sandbox detection

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found stalling execution ending in API Sleep call

Injects a PE file into a foreign processes

Machine Learning detection for sample

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Checks if the current process is being debugged

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found evasive API chain (date check)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

rise2406.exe (PID: 3180 cmdline: "C:\Users\user\Desktop\rise2406.exe" MD5: C6C9F27D335D4E47B5EA12653E806BE6)

conhost.exe (PID: 1456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RegAsm.exe (PID: 2520 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

RegAsm.exe (PID: 2516 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)

WerFault.exe (PID: 2700 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 140 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: RegAsm.exe PID: 2516	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Snort Signatures

ET TROJAN [ANY.RUN] RisePro TCP (External IP) - Source IP: 5.42.67.8 - Destination IP: 192.168.2.7

Timestamp:	06/26/24-08:59:32.465846
SID:	2046267
Source Port:	50500
Destination Port:	49701
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.7 - Destination IP: 5.42.67.8

Timestamp:	06/26/24-08:59:36.929586
SID:	2046269
Source Port:	49701
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.7 - Destination IP: 5.42.67.8

Timestamp:	06/26/24-08:57:45.307172
SID:	2049060
Source Port:	49701
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] RisePro TCP (Token) - Source IP: 5.42.67.8 - Destination IP: 192.168.2.7

Timestamp:	06/26/24-08:57:45.857539
SID:	2046266
Source Port:	50500
Destination Port:	49701
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: rise2406.exe	ReversingLabs: Detection: 87%
Source: rise2406.exe	Virustotal: Detection: 78%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: rise2406.exe

Joe Sandbox ML: detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree,

4_2_004C6B00

Source: rise2406.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49721 version: TLS 1.2

Source: rise2406.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_0053C8CD FindFirstFileExW,	0_2_0053C8CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	4_2_004C6000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00432022 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	4_2_00432022
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	4_2_004E6770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	4_2_004938D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00493B60 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrlenA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlenA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlenA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlenA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,lstrlenA,	4_2_00493B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0044FC2F FindFirstFileExW,	4_2_0044FC2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	4_2_004DFF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00431F9C FindClose,FindFirstFileExW,GetLastError,	4_2_00431F9C

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.7:49701 -> 5.42.67.8:50500
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 5.42.67.8:50500 -> 192.168.2.7:49701
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.7:49701 -> 5.42.67.8:50500
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 5.42.67.8:50500 -> 192.168.2.7:49701

Source: global traffic

TCP traffic: 192.168.2.7:49701 -> 5.42.67.8:50500

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 172.67.75.166 172.67.75.166
Source: Joe Sandbox View	IP Address: 5.42.67.8 5.42.67.8

Source: Joe Sandbox View

ASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00409280 recv,GetProcAddress,GetModuleHandleA,GetProcAddress,WSASend,

4_2_00409280

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com

Source: Amcache.hve.7.dr	String found in binary or memory: http://upx.sf.net
Source: rise2406.exe, 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33J
Source: RegAsm.exe, RegAsm.exe, 00000004.00000002.2546153992.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2546153992.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2546153992.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: rise2406.exe, 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/q
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2546153992.0000000000D96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000D96000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33:
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RegAsm.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.7:49720 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.7:49721 version: TLS 1.2

Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_005409FC	0_2_005409FC
Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_00532C20	0_2_00532C20
Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_0053BC92	0_2_0053BC92
Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_00540DD4	0_2_00540DD4
Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_0052FF04	0_2_0052FF04
Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_00537782	0_2_00537782
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004E4BD0	4_2_004E4BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0044002D	4_2_0044002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_005220D0	4_2_005220D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F60E0	4_2_004F60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004D70F0	4_2_004D70F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00493080	4_2_00493080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004EE170	4_2_004EE170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00508120	4_2_00508120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004371A0	4_2_004371A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_005031A0	4_2_005031A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00512260	4_2_00512260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0040A2C0	4_2_0040A2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0050A2B0	4_2_0050A2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0044036F	4_2_0044036F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004A4320	4_2_004A4320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00490440	4_2_00490440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F0450	4_2_004F0450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004DE430	4_2_004DE430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004FA480	4_2_004FA480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00514550	4_2_00514550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0053F550	4_2_0053F550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F85F0	4_2_004F85F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0042F580	4_2_0042F580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0048F590	4_2_0048F590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00452610	4_2_00452610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004A3610	4_2_004A3610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_005486C0	4_2_005486C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00547760	4_2_00547760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F7730	4_2_004F7730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004E77E0	4_2_004E77E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_005397B0	4_2_005397B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004547BF	4_2_004547BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F2820	4_2_004F2820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0043C960	4_2_0043C960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00546970	4_2_00546970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F7960	4_2_004F7960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0043A928	4_2_0043A928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004FA930	4_2_004FA930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004EF9A0	4_2_004EF9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0044DA86	4_2_0044DA86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F8B40	4_2_004F8B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00493B60	4_2_00493B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0051DBB0	4_2_0051DBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00500BA0	4_2_00500BA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00458BB0	4_2_00458BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004EFC40	4_2_004EFC40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004EEC40	4_2_004EEC40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F7C00	4_2_004F7C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00503CC0	4_2_00503CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00409C90	4_2_00409C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00534D40	4_2_00534D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F9D70	4_2_004F9D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F7D00	4_2_004F7D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004FAD00	4_2_004FAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00546D20	4_2_00546D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00545DE0	4_2_00545DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0053AE20	4_2_0053AE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00458E30	4_2_00458E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00506EA0	4_2_00506EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00516EA0	4_2_00516EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004DFF00	4_2_004DFF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00541F00	4_2_00541F00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004ECF20	4_2_004ECF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004F2FD0	4_2_004F2FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00501FE0	4_2_00501FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004FFFA0	4_2_004FFFA0

Source: C:\Users\user\Desktop\rise2406.exe	Code function: String function: 0052A0C0 appears 50 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00547510 appears 102 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00434380 appears 54 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 0041ACE0 appears 52 times

Source: C:\Users\user\Desktop\rise2406.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 140

Source: rise2406.exe, 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenamedotnet.exe6 vs rise2406.exe

Source: rise2406.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: rise2406.exe

Static PE information: Section: .data ZLIB complexity 0.9968365897495362

Source: classification engine

Classification label: mal100.troj.evad.winEXE@7/6@2/3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00545050 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA,

4_2_00545050

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00544A40 GetDiskFreeSpaceW,GetDiskFreeSpaceA,

4_2_00544A40

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0048F070 CreateDirectoryA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

4_2_0048F070

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1456:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3180

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

File created: C:\Users\user~1\AppData\Local\Temp\trixyuIHtL4lTJ8ci

Jump to behavior

Source: C:\Users\user\Desktop\rise2406.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: rise2406.exe, 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: rise2406.exe, 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: rise2406.exe	ReversingLabs: Detection: 87%
Source: rise2406.exe	Virustotal: Detection: 78%

Source: RegAsm.exe

String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: unknown	Process created: C:\Users\user\Desktop\rise2406.exe "C:\Users\user\Desktop\rise2406.exe"
Source: C:\Users\user\Desktop\rise2406.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rise2406.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\rise2406.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Source: C:\Users\user\Desktop\rise2406.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 140
Source: C:\Users\user\Desktop\rise2406.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior
Source: C:\Users\user\Desktop\rise2406.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"	Jump to behavior

Source: C:\Users\user\Desktop\rise2406.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Section loaded: gpapi.dll	Jump to behavior

Source: rise2406.exe

Static file information: File size 1870848 > 1048576

Source: rise2406.exe

Static PE information: Raw size of .data is bigger than: 0x100000 < 0x194400

Source: rise2406.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: rise2406.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: RegAsm.pdb source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_004CF280 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,WaitForSingleObject,

4_2_004CF280

Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_00529AAF push ecx; ret		0_2_00529AC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00433F59 push ecx; ret		4_2_00433F6C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_004EE170 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

4_2_004EE170

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Sandbox detection routine: GetCursorPos, DecisionNode, Sleep

graph_4-69899

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Evasive API call chain: GetPEB, DecisionNodes, Sleep

graph_4-69900

Found stalling execution ending in API Sleep call

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Stalling execution: Execution stalls by calling Sleep

graph_4-70391

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos,

4_2_0045DB00

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 3303			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 6588			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_4-70413

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_4-70426

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

API coverage: 5.7 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2052	Thread sleep count: 3303 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2052	Thread sleep time: -333603s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2052	Thread sleep count: 6588 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 2052	Thread sleep time: -665388s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_005449B0 GetSystemTime followed by cmp: cmp eax, 04h and CTI: jc 005449F1h

4_2_005449B0

Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_0053C8CD FindFirstFileExW,	0_2_0053C8CD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose,	4_2_004C6000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00432022 GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,	4_2_00432022
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004E6770 FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error,CreateDirectoryA,std::_Throw_Cpp_error,std::_Throw_Cpp_error,	4_2_004E6770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose,	4_2_004938D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00493B60 RegOpenKeyExA,RegQueryValueExA,RegCloseKey,SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA,CredEnumerateA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,lstrlenA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlenA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlenA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,lstrlenA,SHGetFolderPathA,GetPrivateProfileSectionNamesA,GetPrivateProfileStringA,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,lstrlenA,	4_2_00493B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0044FC2F FindFirstFileExW,	4_2_0044FC2F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	4_2_004DFF00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00431F9C FindClose,FindFirstFileExW,GetLastError,	4_2_00431F9C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_004580D8 VirtualQuery,GetSystemInfo,

4_2_004580D8

Source: Amcache.hve.7.dr	Binary or memory string: VMware
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr	Binary or memory string: VMware, Inc.
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DB9000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000004.00000002.2546153992.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: RegAsm.exe, 00000004.00000002.2546153992.0000000000DB9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Amcache.hve.7.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: Amcache.hve.7.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Source: C:\Users\user\Desktop\rise2406.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\rise2406.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\rise2406.exe

Code function: 0_2_0052DED3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_0052DED3

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

4_2_004CF280

Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_00533A8C mov ecx, dword ptr fs:[00000030h]	0_2_00533A8C
Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_005385C5 mov eax, dword ptr fs:[00000030h]	0_2_005385C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0045DB00 mov eax, dword ptr fs:[00000030h]	4_2_0045DB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0045DB00 mov eax, dword ptr fs:[00000030h]	4_2_0045DB00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004D6280 mov eax, dword ptr fs:[00000030h]	4_2_004D6280
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00493B60 mov eax, dword ptr fs:[00000030h]	4_2_00493B60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004D2DC0 mov ecx, dword ptr fs:[00000030h]	4_2_004D2DC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_004C6D80 mov eax, dword ptr fs:[00000030h]	4_2_004C6D80

Source: C:\Users\user\Desktop\rise2406.exe

Code function: 0_2_0053DAB5 GetProcessHeap,

0_2_0053DAB5

Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_0052A04B SetUnhandledExceptionFilter,	0_2_0052A04B
Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_0052A105 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0052A105
Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_0052DED3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0052DED3
Source: C:\Users\user\Desktop\rise2406.exe	Code function: 0_2_00529EEF IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00529EEF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00434184 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00434184
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00434311 SetUnhandledExceptionFilter,	4_2_00434311
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_0043451D SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_0043451D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 4_2_00438A64 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_00438A64

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\rise2406.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\rise2406.exe

Code function: 0_2_007A018D GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,CreateProcessA,CreateProcessA,VirtualAlloc,VirtualAlloc,GetThreadContext,Wow64GetThreadContext,ReadProcessMemory,ReadProcessMemory,VirtualAllocEx,VirtualAllocEx,GetProcAddress,TerminateProcess,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,Wow64SetThreadContext,ResumeThread,ResumeThread,

0_2_007A018D

Contains functionality to inject threads in other processes

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

4_2_004CF280

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\rise2406.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\rise2406.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\rise2406.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\rise2406.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 55D000	Jump to behavior
Source: C:\Users\user\Desktop\rise2406.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 585000	Jump to behavior
Source: C:\Users\user\Desktop\rise2406.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 58A000	Jump to behavior
Source: C:\Users\user\Desktop\rise2406.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 58C000	Jump to behavior
Source: C:\Users\user\Desktop\rise2406.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 821008	Jump to behavior

Source: C:\Users\user\Desktop\rise2406.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior
Source: C:\Users\user\Desktop\rise2406.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"			Jump to behavior

Source: C:\Users\user\Desktop\rise2406.exe

Code function: 0_2_00529C95 cpuid

0_2_00529C95

Source: C:\Users\user\Desktop\rise2406.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_00540033
Source: C:\Users\user\Desktop\rise2406.exe	Code function: GetLocaleInfoW,	0_2_0053F8CA
Source: C:\Users\user\Desktop\rise2406.exe	Code function: GetLocaleInfoW,	0_2_005370FB
Source: C:\Users\user\Desktop\rise2406.exe	Code function: EnumSystemLocalesW,	0_2_0053F971
Source: C:\Users\user\Desktop\rise2406.exe	Code function: EnumSystemLocalesW,	0_2_0053F9BC
Source: C:\Users\user\Desktop\rise2406.exe	Code function: EnumSystemLocalesW,	0_2_0053FA57
Source: C:\Users\user\Desktop\rise2406.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	0_2_0053FAE2
Source: C:\Users\user\Desktop\rise2406.exe	Code function: EnumSystemLocalesW,	0_2_00536BD5
Source: C:\Users\user\Desktop\rise2406.exe	Code function: GetLocaleInfoW,	0_2_0053FD35
Source: C:\Users\user\Desktop\rise2406.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_0053FE5E
Source: C:\Users\user\Desktop\rise2406.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	0_2_0053F6CF
Source: C:\Users\user\Desktop\rise2406.exe	Code function: GetLocaleInfoW,	0_2_0053FF64
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	4_2_004531CA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	4_2_0044B1B1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	4_2_004532F3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	4_2_004533F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	4_2_004534CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	4_2_0044B734
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,	4_2_00452B5A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,	4_2_00452D5F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoEx,FormatMessageA,	4_2_00431D94
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	4_2_00452E51
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	4_2_00452E06
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: EnumSystemLocalesW,	4_2_00452EEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	4_2_00452F77
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,	4_2_004DFF00

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\rise2406.exe

Code function: 0_2_0052A302 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_0052A302

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_004DFF00 CreateDirectoryA,FindFirstFileA,CreateDirectoryA,CopyFileA,FindNextFileA,FindClose,GetLastError,GetLastError,CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey,

4_2_004DFF00

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_0044D130 GetTimeZoneInformation,

4_2_0044D130

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 4_2_00545050 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA,

4_2_00545050

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 2516, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 2516, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	511 Process Injection	12 Virtualization/Sandbox Evasion	OS Credential Dumping	12 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	511 Process Injection	LSASS Memory	151 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Deobfuscate/Decode Files or Information	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	2 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	13 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	1 Account Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 System Owner/User Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	1 System Network Configuration Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 File and Directory Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	36 System Information Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
rise2406.exe	88%	ReversingLabs	Win32.Trojan.LummaStealer
rise2406.exe	79%	Virustotal		Browse
rise2406.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://ipinfo.io/	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.winimage.com/zLibDll	0%	Avira URL Cloud	safe
https://ipinfo.io:443/widget/demo/8.46.123.33	0%	Avira URL Cloud	safe
https://db-ip.com/	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.33	0%	Avira URL Cloud	safe
https://db-ip.com:443/demo/home.php?s=8.46.123.33J	0%	Avira URL Cloud	safe
https://ipinfo.io/q	0%	Avira URL Cloud	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe
https://www.maxmind.com/en/locate-my-ip-address	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
https://ipinfo.io/Mozilla/5.0	0%	Avira URL Cloud	safe
https://db-ip.com/demo/home.php?s=8.46.123.33	0%	Avira URL Cloud	safe
https://ipinfo.io/widget/demo/8.46.123.33:	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ipinfo.io	34.117.186.192	true	false		unknown
db-ip.com	172.67.75.166	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/	false	URL Reputation: safe	unknown
https://ipinfo.io/widget/demo/8.46.123.33	false	Avira URL Cloud: safe	unknown
https://db-ip.com/demo/home.php?s=8.46.123.33	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://db-ip.com:443/demo/home.php?s=8.46.123.33J	RegAsm.exe, 00000004.00000002.2546153992.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io:443/widget/demo/8.46.123.33	RegAsm.exe, 00000004.00000002.2546153992.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/q	RegAsm.exe, 00000004.00000002.2546153992.0000000000D88000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.maxmind.com/en/locate-my-ip-address	RegAsm.exe	false	Avira URL Cloud: safe	unknown
https://db-ip.com/	RegAsm.exe, 00000004.00000002.2546153992.0000000000DFF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	rise2406.exe, 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	rise2406.exe, 00000000.00000002.1446239278.0000000000554000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000004.00000002.2545502529.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.7.dr	false	URL Reputation: safe	unknown
https://t.me/RiseProSUPPORT	RegAsm.exe, 00000004.00000002.2546153992.0000000000D5A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/Mozilla/5.0	RegAsm.exe, 00000004.00000002.2546153992.0000000000DDF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/widget/demo/8.46.123.33:	RegAsm.exe, 00000004.00000002.2546153992.0000000000D96000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.117.186.192	ipinfo.io	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
172.67.75.166	db-ip.com	United States	13335	CLOUDFLARENETUS	false
5.42.67.8	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1462857
Start date and time:	2024-06-26 08:56:44 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	rise2406.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@7/6@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 79% Number of executed functions: 29 Number of non-executed functions: 159
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, time.windows.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
02:57:58	API Interceptor	1x Sleep call for process: WerFault.exe modified
04:11:36	API Interceptor	261810x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.117.186.192	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	HP-patchedUS-deobfuscated.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/
	SecuriteInfo.com.Win32.Evo-gen.24318.16217.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	SecuriteInfo.com.Win32.Evo-gen.28489.31883.exe	Get hash	malicious	Unknown	Browse	ipinfo.io/json
	Raptor.HardwareService.Setup 1.msi	Get hash	malicious	Unknown	Browse	ipinfo.io/ip
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	Conferma_Pdf_Editor.exe	Get hash	malicious	Planet Stealer	Browse	ipinfo.io/
	w.sh	Get hash	malicious	Xmrig	Browse	/ip
172.67.75.166	http://luxury-sherbet-tk1111-10e1b5.netlify.app/form.html	Get hash	malicious	Unknown	Browse
	https://cn10.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	YnsEArPlqx.exe	Get hash	malicious	RisePro Stealer	Browse
	T17sbXrL3i.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	https://curious-kringle-id4964-024b3b3.netlify.app/form.html	Get hash	malicious	Unknown	Browse
	4Ip0IVHqJ3.exe	Get hash	malicious	RisePro Stealer	Browse
	https://gacw-no-reply-restriction-appeal-case.netlify.app/feedback_id_38258467296/	Get hash	malicious	Unknown	Browse
	http://rules-prohibiting-violative-advertisi.netlify.app/appeal_case_ID_78234127826/	Get hash	malicious	Unknown	Browse
5.42.67.8	1kBeqS7E3z.exe	Get hash	malicious	LummaC, RisePro Stealer, Vidar	Browse
	BY1Fwf74x3.exe	Get hash	malicious	RisePro Stealer, Vidar	Browse
	SecuriteInfo.com.Win64.Evo-gen.4435.12354.exe	Get hash	malicious	CryptOne, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	CHA0VZiz8y.exe	Get hash	malicious	CryptOne, Djvu, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Vidar	Browse
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse
	WaGiUWSpyO.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	1n4J6tLgsc.exe	Get hash	malicious	RisePro Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ipinfo.io	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	34.117.186.192
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	http://telegravm.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrarl.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegraem.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrema.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrram.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrmaw.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrnal.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrma.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
db-ip.com	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	http://luxury-sherbet-tk1111-10e1b5.netlify.app/form.html	Get hash	malicious	Unknown	Browse	172.67.75.166
	https://le-2vr.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse	104.26.5.15
	https://e23-c5p.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse	104.26.5.15
	https://ml5-94x.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse	104.26.5.15
	https://cn10.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse	172.67.75.166
	https://verify-infraction-messages.netlify.app/appeal_case_id_561597519/	Get hash	malicious	Unknown	Browse	104.26.5.15
	90ZF1EDs9h.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.5.15
	BqqQh4Jr7L.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15
	file.exe	Get hash	malicious	RisePro Stealer	Browse	104.26.4.15

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.92
	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.92
	file.exe	Get hash	malicious	Unknown	Browse	5.42.66.10
	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.92
	adbf66605a6b569b3b4e915ad9cdf271c0889a14fc59b70233b2c966fca1dc93_dump.exe	Get hash	malicious	RedLine	Browse	5.42.65.92
	file.exe	Get hash	malicious	RedLine	Browse	5.42.65.92
	DqnftBv2b9.exe	Get hash	malicious	Mars Stealer, Stealc, Vidar	Browse	5.42.104.211
	1kBeqS7E3z.exe	Get hash	malicious	LummaC, RisePro Stealer, Vidar	Browse	5.42.65.116
	file.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	5.42.65.92
GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	https://riprogramma.consegna.3-79-47-0.cprapid.com/brt/update.php?%276	Get hash	malicious	Unknown	Browse	34.117.77.79
	http://3-79-47-0.cprapid.com/brt/update.php?%2704bd392f228f637be355	Get hash	malicious	Unknown	Browse	34.117.77.79
	https://opposite-grandiose-flock.glitch.me/public/digitalapps.navyfederal.org.html	Get hash	malicious	HTMLPhisher	Browse	34.117.77.79
	Authorization code - SO10552124.PDF	Get hash	malicious	Unknown	Browse	34.117.77.79
	Raptor.HardwareService.Setup_2.3.6.0.msi	Get hash	malicious	Unknown	Browse	34.117.186.192
	https://eex2ujl43dm.larksuite.com/wiki/Ui6DwyQ8kilW7qkvx66uyYsusXb?from=from_copylink	Get hash	malicious	HTMLPhisher	Browse	34.117.97.41
	file.exe	Get hash	malicious	RisePro Stealer	Browse	34.117.186.192
	http://telegravm.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegrarl.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
	http://telegraem.work/	Get hash	malicious	Telegram Phisher	Browse	34.117.186.192
CLOUDFLARENETUS	_Account Receipt.PDF.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	ORDEN DE COMPRA OI1597.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	288292021 ABB.exe	Get hash	malicious	FormBook	Browse	188.114.96.3
	GG017077 TAE.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	0Z0CbhhLet.exe	Get hash	malicious	Quasar	Browse	172.67.74.152
	txJO1YslwA.rtf	Get hash	malicious	Unknown	Browse	188.114.96.3
	GOoY5QBqvC.elf	Get hash	malicious	Mirai, Moobot	Browse	104.16.167.29
	clamav-26507ecba954172bdcc6c436a16c6d66.tmp	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	https://nekofile.eu.org/d7e69ef7da63a0b454230diaj	Get hash	malicious	Unknown	Browse	172.64.41.3
	https://nekofile.eu.org/f8e2cb54931bf39d6c12eo5nc	Get hash	malicious	Unknown	Browse	1.1.1.1

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	qoe1X4ig0N.exe	Get hash	malicious	LummaC, AsyncRAT, DarkTortilla, LummaC Stealer, Njrat, SmokeLoader, StormKitty	Browse	34.117.186.192 172.67.75.166
	proof.cmd	Get hash	malicious	DBatLoader, Remcos	Browse	34.117.186.192 172.67.75.166
	pmrD6U8p5z.xls	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166
	file.exe	Get hash	malicious	LummaC	Browse	34.117.186.192 172.67.75.166
	Techno_PO LV12406-003211.xla.xlsx	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166
	Techno_PO LV12406-00311.xla.xlsx	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166
	PO LV12406-00390.xla.xlsx	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166
	BlockIps.Docx	Get hash	malicious	Unknown	Browse	34.117.186.192 172.67.75.166
	Purchase Order.bat	Get hash	malicious	DBatLoader	Browse	34.117.186.192 172.67.75.166
	7rBFEWNRqy.exe	Get hash	malicious	LummaC, SmokeLoader	Browse	34.117.186.192 172.67.75.166

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rise2406.exe_a2fa92cb97a2b320a08f8e64ea523b20ebb5f8f1_8f97a443_dd428d2d-1b53-456e-afc5-446050e7694b\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.7007062601030464
Encrypted:	false
SSDEEP:	96:jP4FOH/usAhqjoOyDqGQXIDcQZc68cE+cw3Jqe+HbHg/PB6HeaOy1FhZAX/d5FMv:j4gH/u8t0H4UcjG1zuiFyZ24IO8KL
MD5:	4F7B153356A21D0E0F145E4132E37263
SHA1:	9BA233E6AB5F2F017293B2A2EEF35782D3BACD24
SHA-256:	29378ECA28488E4BA5D22B072C57A113873FBEB2A82A10C303F1BA0892DFFB2F
SHA-512:	AA3C3D716D22D39545A8727309F3A6F67E4140A0455D8F76AA37F0AE9D4EBA55DED431A96789FC2D15C9DD67A7720DAB6CCBDB3DC21414634BFF5637D403BFBC
Malicious:	true
Reputation:	low
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.3.8.5.8.6.6.4.0.8.2.5.7.0.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.3.8.5.8.6.6.4.6.7.6.3.2.4.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.d.4.2.8.d.2.d.-.1.b.5.3.-.4.5.6.e.-.a.f.c.5.-.4.4.6.0.5.0.e.7.6.9.4.b.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.1.d.0.d.a.3.f.-.5.1.d.a.-.4.b.b.5.-.a.a.7.9.-.b.8.3.c.f.6.2.5.5.f.0.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.r.i.s.e.2.4.0.6...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.c.6.c.-.0.0.0.1.-.0.0.1.4.-.5.e.9.0.-.3.4.2.4.9.6.c.7.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.6.9.f.7.8.3.5.9.1.1.b.e.9.f.c.a.f.b.8.f.c.5.b.7.b.0.d.c.0.f.f.3.0.0.0.0.f.f.f.f.!.0.0.0.0.e.5.3.2.4.2.d.4.6.3.e.2.c.9.4.3.8.3.e.c.6.4.6.e.7.e.0.4.5.0.4.b.9.6.b.4.d.1.7.6.!.r.i.s.e.2.4.0.6...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E75.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Wed Jun 26 06:57:44 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	47100
Entropy (8bit):	1.8252727652124974
Encrypted:	false
SSDEEP:	192:mykqBVV9OMvskaBktKYUd4kD2yE1WdlVQ5LM:F5wMvskaBktKYI2yE12lVQ5
MD5:	BBD9295B206DABE992F3C66CBFBB9C79
SHA1:	69893A4AB3B9A1122F4863F0F9EB55BF376BA346
SHA-256:	3D6DAA050E5FA8AD4025CADC6EF3081DD6B8CBB4A64FD139081CB2C6CEFC9ABF
SHA-512:	4731ECECFAAF5C055037E53BA2D14051DF9CE5EFEDC764EB855461C2E5D62BFCBC80C5298EA094284E7927FF86A186403867E1382525AE90ACED335E42CAF48B
Malicious:	false
Reputation:	low
Preview:	MDMP..a..... ........{f........................X...............N#..........T.......8...........T...........@...............T...........@...............................................................................eJ..............GenuineIntel............T.......l....{f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F7F.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8344
Entropy (8bit):	3.7039735507651863
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+W606YN1SUHQgmfvJ2Xyprr89boMsfJ4m:R6lXJP606YvSUHQgmfvJ2LoffD
MD5:	F4E60215C8F423BDB047EB40142F28A6
SHA1:	DC99EBC00D009FE23795FE8A91FCFA1830E85C4F
SHA-256:	52F2ADE8FA5579441E043B494D8697CA21C6B212C7692D3A23534ED23EA68E6D
SHA-512:	68B6371DDDA400177012A768E063E4C313375F192ABF870356A1EFCDBB4E4037F29AF6FFA6263D716C23BCB9F4C894F7693061F3EC354602E0043FE046DD6AC6
Malicious:	false
Reputation:	low
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.1.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FAF.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4625
Entropy (8bit):	4.493182411741148
Encrypted:	false
SSDEEP:	48:cvIwWl8zsCJg77aI9JiTWpW8VYMYm8M4JHVFl+q8TMhkKWBSad:uIjfQI7Si7VwJV3kKWkad
MD5:	BD57B6DFB4823B8CAE63139D142F06EB
SHA1:	C02B4B67C4B49A0F8268B7F4D6A08552737B7524
SHA-256:	F5D61207F9616815B42EC173AE223B372C55824E2F5988DB69BF147481B9F982
SHA-512:	08C1A8B85C62EF3B5BFDBB7DD43ACF79A4B97523CCD1C708DF4F77F4FDB9FDE7C84D32229232529359B246C01E3D7759ED85ACBC32036D906C2C32A758DE259B
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="384360" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.4166480132445125
Encrypted:	false
SSDEEP:	6144:fcifpi6ceLPL9skLmb0moSWSPtaJG8nAgex285i2MMhA20X4WABlGuN95+5:Ei58oSWIZBk2MM6AFBDo5
MD5:	0E19D08FE18D8BD9DE175F332BD75147
SHA1:	A743943723D85AA0D0F2181FA2026053489E95E1
SHA-256:	9541293C1501798039581F86A203B769D3739667EABF080E5E54C62CA8CB13BC
SHA-512:	611318A3E6CD7C0C02F95154D3095C20AA2F2C72B4DE8B8D5A6978C9F048B2429F3D09E8EB0F5E29C00E6A7034A21B01BD0058087D9BC298A027612867935173
Malicious:	false
Reputation:	low
Preview:	regfE...E....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.3.$............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\rise2406.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	14
Entropy (8bit):	3.3248629576173565
Encrypted:	false
SSDEEP:	3:oJCVNV:o8/V
MD5:	2C34338A8C340C46983875A53A889FC3
SHA1:	5EF486E22F88756BE456209030D46D3D94C21952
SHA-256:	511FF7ADE84BB22C9B35B62A64FC4100A1958E8D20CB795031199748A926E507
SHA-512:	61A221F599A577BC988C6CFF3319F214A62F066B5086C7D8841E8B88BC9FB6CC4F93E8E48E25382BB8148C8F26D045AD15A927ACF0742E69E24923A4659FF633
Malicious:	false
Reputation:	low
Preview:	Illkjmuueghu 0

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	7.948024837182058
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	rise2406.exe
File size:	1'870'848 bytes
MD5:	c6c9f27d335d4e47b5ea12653e806be6
SHA1:	e53242d463e2c94383ec646e7e04504b96b4d176
SHA256:	514efbae5faa43878c743c3db36f81c25ab5d6da93b879b6e88e7a63b1b19769
SHA512:	7e00bdac39c89821b776dda372693d29e0e7188f8ef747037b971461af79545908f8fc8c9bbf7a30f1b0cc4ceea45632e91c1093e784002994808c19bd2a7347
SSDEEP:	49152:KWPLwXMkW4itwCBDtixjSzceiLYtV25Mm8eEMMd:tPLPkW4IwcOj6iLYtV+Mw8
TLSH:	6C852300F4908073C562167706E4DFB69A7EB9714B725CDB6BA44FBF4F306C09632A6A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........@.}.@.}.@.}...~.Q.}...x...}...y.V.}..sy.R.}...\|.G.}.@.\|...}..sx...}..s~.X.}..px.A.}..p..A.}.Rich@.}.................PE..L..

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0x409aa5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x66789839 [Sun Jun 23 21:48:41 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	e4019b337e6aa53400bb9378be49b858

Entrypoint Preview

Instruction
call 00007F238CDFCE3Ah
jmp 00007F238CDFC409h
mov ecx, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], ecx
pop ecx
pop edi
pop edi
pop esi
pop ebx
mov esp, ebp
pop ebp
push ecx
ret
mov ecx, dword ptr [ebp-10h]
xor ecx, ebp
call 00007F238CDFC2F5h
jmp 00007F238CDFC572h
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005C69C0h]
xor eax, ebp
push eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005C69C0h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], eax
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax
ret
push eax
push dword ptr fs:[00000000h]
lea eax, dword ptr [esp+0Ch]
sub esp, dword ptr [esp+0Ch]
push ebx
push esi
push edi
mov dword ptr [eax], ebp
mov ebp, eax
mov eax, dword ptr [005C69C0h]
xor eax, ebp
push eax
mov dword ptr [ebp-10h], esp
push dword ptr [ebp-04h]
mov dword ptr [ebp-04h], FFFFFFFFh
lea eax, dword ptr [ebp-0Ch]
mov dword ptr fs:[00000000h], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x33594	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1ca000	0x21f0	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x30a68	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x30ac0	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x309a8	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x28000	0x180	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x251c2	0x25200	ad92eac1a3518c94a50c469e832eda52	False	0.5649134574915825	data	6.636592053866142	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.BSs	0x27000	0xe1d	0x1000	74293e678f0de25bb463c0dccc7904d8	False	0.583740234375	data	6.002868469254389	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x28000	0xbe86	0xc000	b0aa40c4aa7dfc2011d6ffe63826f1cd	False	0.41448974609375	data	4.98810951337647	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x34000	0x19534c	0x194400	4d397285c775cfc4554c7ce0ca0071fc	False	0.9968365897495362	data	7.999224560090972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x1ca000	0x21f0	0x2200	f4f8da3f2dfcb44938435d58d7a1d96f	False	0.7734375	data	6.553528678280142	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
GDI32.dll	Polyline, RectVisible
USER32.dll	OffsetRect
KERNEL32.dll	CreateFileW, HeapSize, SetStdHandle, WaitForSingleObject, CreateThread, VirtualAlloc, FreeConsole, RaiseException, InitOnceBeginInitialize, InitOnceComplete, CloseHandle, GetCurrentThreadId, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, WakeAllConditionVariable, SleepConditionVariableSRW, GetLastError, FreeLibraryWhenCallbackReturns, CreateThreadpoolWork, SubmitThreadpoolWork, CloseThreadpoolWork, GetModuleHandleExW, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, QueryPerformanceCounter, EncodePointer, DecodePointer, MultiByteToWideChar, WideCharToMultiByte, LCMapStringEx, GetSystemTimeAsFileTime, GetModuleHandleW, GetProcAddress, GetStringTypeW, GetCPInfo, IsDebuggerPresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetStartupInfoW, GetCurrentProcess, TerminateProcess, GetCurrentProcessId, InitializeSListHead, GetProcessHeap, RtlUnwind, SetLastError, InitializeCriticalSectionAndSpinCount, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, FreeLibrary, LoadLibraryExW, ExitProcess, GetModuleFileNameW, GetStdHandle, WriteFile, GetCommandLineA, GetCommandLineW, HeapFree, HeapAlloc, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, GetFileType, GetFileSizeEx, SetFilePointerEx, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, ReadFile, ReadConsoleW, HeapReAlloc, FindClose, FindFirstFileExW, FindNextFileW, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableW, WriteConsoleW

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/26/24-08:59:32.465846	TCP	2046267	ET TROJAN [ANY.RUN] RisePro TCP (External IP)	50500	49701	5.42.67.8	192.168.2.7
06/26/24-08:59:36.929586	TCP	2046269	ET TROJAN [ANY.RUN] RisePro TCP (Activity)	49701	50500	192.168.2.7	5.42.67.8
06/26/24-08:57:45.307172	TCP	2049060	ET TROJAN RisePro TCP Heartbeat Packet	49701	50500	192.168.2.7	5.42.67.8
06/26/24-08:57:45.857539	TCP	2046266	ET TROJAN [ANY.RUN] RisePro TCP (Token)	50500	49701	5.42.67.8	192.168.2.7

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 26, 2024 08:57:45.297755003 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:57:45.304011106 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:57:45.304169893 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:57:45.307172060 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:57:45.311940908 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:57:45.857538939 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:57:45.897598028 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:57:48.976103067 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:57:48.981566906 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:58:20.319787979 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:58:20.324636936 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:58:39.116864920 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:58:39.121699095 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:58:48.507325888 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:58:48.512460947 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:58:51.632371902 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:58:51.637187958 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:58:54.773797989 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:58:54.778863907 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:58:57.898468971 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:58:57.903498888 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:01.023139000 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:01.028254986 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:04.163611889 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:04.168463945 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:07.288690090 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:07.353250980 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:10.429568052 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:10.549530983 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:13.569916964 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:13.576683044 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:16.710654974 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:16.715524912 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:19.851167917 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:19.856040955 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:22.992151022 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:22.997278929 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:26.116830111 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:26.183959007 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:29.242022038 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:29.247180939 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:32.382481098 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:32.433741093 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:32.435168982 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:32.465846062 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:32.465996027 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:32.549282074 CEST	49720	443	192.168.2.7	34.117.186.192
Jun 26, 2024 08:59:32.549349070 CEST	443	49720	34.117.186.192	192.168.2.7
Jun 26, 2024 08:59:32.549700022 CEST	49720	443	192.168.2.7	34.117.186.192
Jun 26, 2024 08:59:32.553071976 CEST	49720	443	192.168.2.7	34.117.186.192
Jun 26, 2024 08:59:32.553092957 CEST	443	49720	34.117.186.192	192.168.2.7
Jun 26, 2024 08:59:33.008507013 CEST	443	49720	34.117.186.192	192.168.2.7
Jun 26, 2024 08:59:33.008841038 CEST	49720	443	192.168.2.7	34.117.186.192
Jun 26, 2024 08:59:33.016993999 CEST	49720	443	192.168.2.7	34.117.186.192
Jun 26, 2024 08:59:33.017016888 CEST	443	49720	34.117.186.192	192.168.2.7
Jun 26, 2024 08:59:33.017276049 CEST	443	49720	34.117.186.192	192.168.2.7
Jun 26, 2024 08:59:33.069917917 CEST	49720	443	192.168.2.7	34.117.186.192
Jun 26, 2024 08:59:33.075551987 CEST	49720	443	192.168.2.7	34.117.186.192
Jun 26, 2024 08:59:33.120506048 CEST	443	49720	34.117.186.192	192.168.2.7
Jun 26, 2024 08:59:33.204579115 CEST	443	49720	34.117.186.192	192.168.2.7
Jun 26, 2024 08:59:33.204700947 CEST	443	49720	34.117.186.192	192.168.2.7
Jun 26, 2024 08:59:33.204777002 CEST	49720	443	192.168.2.7	34.117.186.192
Jun 26, 2024 08:59:33.207257986 CEST	49720	443	192.168.2.7	34.117.186.192
Jun 26, 2024 08:59:33.207257986 CEST	49720	443	192.168.2.7	34.117.186.192
Jun 26, 2024 08:59:33.207282066 CEST	443	49720	34.117.186.192	192.168.2.7
Jun 26, 2024 08:59:33.207292080 CEST	443	49720	34.117.186.192	192.168.2.7
Jun 26, 2024 08:59:33.227814913 CEST	49721	443	192.168.2.7	172.67.75.166
Jun 26, 2024 08:59:33.227871895 CEST	443	49721	172.67.75.166	192.168.2.7
Jun 26, 2024 08:59:33.227955103 CEST	49721	443	192.168.2.7	172.67.75.166
Jun 26, 2024 08:59:33.228293896 CEST	49721	443	192.168.2.7	172.67.75.166
Jun 26, 2024 08:59:33.228312016 CEST	443	49721	172.67.75.166	192.168.2.7
Jun 26, 2024 08:59:33.689722061 CEST	443	49721	172.67.75.166	192.168.2.7
Jun 26, 2024 08:59:33.689811945 CEST	49721	443	192.168.2.7	172.67.75.166
Jun 26, 2024 08:59:33.693711042 CEST	49721	443	192.168.2.7	172.67.75.166
Jun 26, 2024 08:59:33.693731070 CEST	443	49721	172.67.75.166	192.168.2.7
Jun 26, 2024 08:59:33.694144964 CEST	443	49721	172.67.75.166	192.168.2.7
Jun 26, 2024 08:59:33.698007107 CEST	49721	443	192.168.2.7	172.67.75.166
Jun 26, 2024 08:59:33.744504929 CEST	443	49721	172.67.75.166	192.168.2.7
Jun 26, 2024 08:59:33.797836065 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:33.851438999 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:33.897752047 CEST	443	49721	172.67.75.166	192.168.2.7
Jun 26, 2024 08:59:33.897984028 CEST	443	49721	172.67.75.166	192.168.2.7
Jun 26, 2024 08:59:33.898348093 CEST	49721	443	192.168.2.7	172.67.75.166
Jun 26, 2024 08:59:33.900158882 CEST	49721	443	192.168.2.7	172.67.75.166
Jun 26, 2024 08:59:33.900192022 CEST	443	49721	172.67.75.166	192.168.2.7
Jun 26, 2024 08:59:33.900362015 CEST	49721	443	192.168.2.7	172.67.75.166
Jun 26, 2024 08:59:33.900371075 CEST	443	49721	172.67.75.166	192.168.2.7
Jun 26, 2024 08:59:33.901794910 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:33.949876070 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:36.929585934 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:36.934513092 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:38.961268902 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:39.007390022 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:46.685332060 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:46.741777897 CEST	49701	50500	192.168.2.7	5.42.67.8
Jun 26, 2024 08:59:48.365884066 CEST	50500	49701	5.42.67.8	192.168.2.7
Jun 26, 2024 08:59:48.413897991 CEST	49701	50500	192.168.2.7	5.42.67.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 26, 2024 08:59:32.535058022 CEST	63121	53	192.168.2.7	1.1.1.1
Jun 26, 2024 08:59:32.542617083 CEST	53	63121	1.1.1.1	192.168.2.7
Jun 26, 2024 08:59:33.210113049 CEST	63581	53	192.168.2.7	1.1.1.1
Jun 26, 2024 08:59:33.226600885 CEST	53	63581	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jun 26, 2024 08:59:32.535058022 CEST	192.168.2.7	1.1.1.1	0x1ba0	Standard query (0)	ipinfo.io	A (IP address)	IN (0x0001)	false
Jun 26, 2024 08:59:33.210113049 CEST	192.168.2.7	1.1.1.1	0xb2b6	Standard query (0)	db-ip.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Jun 26, 2024 08:59:32.542617083 CEST	1.1.1.1	192.168.2.7	0x1ba0	No error (0)	ipinfo.io	34.117.186.192	A (IP address)	IN (0x0001)	false
Jun 26, 2024 08:59:33.226600885 CEST	1.1.1.1	192.168.2.7	0xb2b6	No error (0)	db-ip.com	172.67.75.166	A (IP address)	IN (0x0001)	false
Jun 26, 2024 08:59:33.226600885 CEST	1.1.1.1	192.168.2.7	0xb2b6	No error (0)	db-ip.com	104.26.4.15	A (IP address)	IN (0x0001)	false
Jun 26, 2024 08:59:33.226600885 CEST	1.1.1.1	192.168.2.7	0xb2b6	No error (0)	db-ip.com	104.26.5.15	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ipinfo.io

https:

db-ip.com

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port
0	192.168.2.7	49700	34.117.186.192	443

Timestamp	Bytes transferred	Direction	Data
2024-06-26 06:57:37 UTC	59	OUT	GET / HTTP/1.1 Host: ipinfo.io Connection: Keep-Alive
2024-06-26 06:57:37 UTC	513	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Wed, 26 Jun 2024 06:57:37 GMT content-type: application/json; charset=utf-8 Content-Length: 319 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 2 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-26 06:57:37 UTC	319	IN	Data Raw: 7b 0a 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 0a 20 20 22 70 6f 73 74 61 6c 22 3a 20 22 31 30 30 30 31 22 2c 0a 20 20 22 74 69 6d 65 7a 6f 6e 65 22 3a 20 22 Data Ascii: { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level 3 Parent, LLC", "postal": "10001", "timezone": "

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49720	34.117.186.192	443	2516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-26 06:59:33 UTC	236	OUT	GET /widget/demo/8.46.123.33 HTTP/1.1 Connection: Keep-Alive Referer: https://ipinfo.io/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: ipinfo.io
2024-06-26 06:59:33 UTC	514	IN	HTTP/1.1 200 OK server: nginx/1.24.0 date: Wed, 26 Jun 2024 06:59:33 GMT content-type: application/json; charset=utf-8 Content-Length: 1025 access-control-allow-origin: * x-frame-options: SAMEORIGIN x-xss-protection: 1; mode=block x-content-type-options: nosniff referrer-policy: strict-origin-when-cross-origin x-envoy-upstream-service-time: 3 via: 1.1 google strict-transport-security: max-age=2592000; includeSubDomains Alt-Svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000 Connection: close
2024-06-26 06:59:33 UTC	876	IN	Data Raw: 7b 0a 20 20 22 69 6e 70 75 74 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 22 64 61 74 61 22 3a 20 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 0a 20 20 20 20 22 68 6f 73 74 6e 61 6d 65 22 3a 20 22 73 74 61 74 69 63 2d 63 70 65 2d 38 2d 34 36 2d 31 32 33 2d 33 33 2e 63 65 6e 74 75 72 79 6c 69 6e 6b 2e 63 6f 6d 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 4e 65 77 20 59 6f 72 6b 20 43 69 74 79 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 55 53 22 2c 0a 20 20 20 20 22 6c 6f 63 22 3a 20 22 34 30 2e 37 31 34 33 2c 2d 37 34 2e 30 30 36 30 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 Data Ascii: { "input": "8.46.123.33", "data": { "ip": "8.46.123.33", "hostname": "static-cpe-8-46-123-33.centurylink.com", "city": "New York City", "region": "New York", "country": "US", "loc": "40.7143,-74.0060", "org": "AS3356 Level
2024-06-26 06:59:33 UTC	149	IN	Data Raw: 65 6d 61 69 6c 22 3a 20 22 61 62 75 73 65 40 61 75 70 2e 6c 75 6d 65 6e 2e 63 6f 6d 22 2c 0a 20 20 20 20 20 20 22 6e 61 6d 65 22 3a 20 22 43 65 6e 74 75 72 79 6c 69 6e 6b 20 41 62 75 73 65 20 44 65 73 6b 22 2c 0a 20 20 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 2e 34 36 2e 31 32 33 2e 30 2f 32 34 22 2c 0a 20 20 20 20 20 20 22 70 68 6f 6e 65 22 3a 20 22 2b 31 2d 38 37 37 2d 38 38 36 2d 36 35 31 35 22 0a 20 20 20 20 7d 0a 20 20 7d 0a 7d Data Ascii: email": "abuse@aup.lumen.com", "name": "Centurylink Abuse Desk", "network": "8.46.123.0/24", "phone": "+1-877-886-6515" } }}

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49721	172.67.75.166	443	2516	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	Bytes transferred	Direction	Data
2024-06-26 06:59:33 UTC	260	OUT	GET /demo/home.php?s=8.46.123.33 HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36 Host: db-ip.com
2024-06-26 06:59:33 UTC	665	IN	HTTP/1.1 200 OK Date: Wed, 26 Jun 2024 06:59:33 GMT Content-Type: application/json Transfer-Encoding: chunked Connection: close x-iplb-request-id: AC466F7F:9CA2_93878F2E:0050_667BBC55_15DB0975:4F34 x-iplb-instance: 59215 CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dxI4ToxjZw9q7QF94cxCc0W%2Flhon%2FcwjswI43%2F%2FN%2FRRSnUORQOEnriRS2ngRG1aa1GoK90MxS4hSo%2FfQCvUW7StzpCfuug%2F9ELHmTdOyAJ0zUo9FX0MAt%2FE2CA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 899b50b8199e1839-EWR alt-svc: h3=":443"; ma=86400
2024-06-26 06:59:33 UTC	673	IN	Data Raw: 32 39 61 0d 0a 7b 22 73 74 61 74 75 73 22 3a 22 6f 6b 22 2c 22 64 65 6d 6f 49 6e 66 6f 22 3a 7b 22 69 70 41 64 64 72 65 73 73 22 3a 22 38 2e 34 36 2e 31 32 33 2e 33 33 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 4e 41 22 2c 22 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 4e 6f 72 74 68 20 41 6d 65 72 69 63 61 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 69 73 45 75 4d 65 6d 62 65 72 22 3a 66 61 6c 73 65 2c 22 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 55 53 44 22 2c 22 63 75 72 72 65 6e 63 79 4e 61 6d 65 22 3a 22 44 6f 6c 6c 61 72 22 2c 22 70 68 6f 6e 65 50 72 65 66 69 78 22 3a 22 31 22 2c 22 6c 61 6e 67 75 61 67 65 73 22 3a 5b Data Ascii: 29a{"status":"ok","demoInfo":{"ipAddress":"8.46.123.33","continentCode":"NA","continentName":"North America","countryCode":"US","countryName":"United States","isEuMember":false,"currencyCode":"USD","currencyName":"Dollar","phonePrefix":"1","languages":[
2024-06-26 06:59:33 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	02:57:42
Start date:	26/06/2024
Path:	C:\Users\user\Desktop\rise2406.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\rise2406.exe"
Imagebase:	0x520000
File size:	1'870'848 bytes
MD5 hash:	C6C9F27D335D4E47B5EA12653E806BE6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:57:42
Start date:	26/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	02:57:43
Start date:	26/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x260000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	02:57:43
Start date:	26/06/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
Imagebase:	0x620000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	02:57:43
Start date:	26/06/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 3180 -s 140
Imagebase:	0x40000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report rise2406.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_rise2406.exe_a2fa92cb97a2b320a08f8e64ea523b20ebb5f8f1_8f97a443_dd428d2d-1b53-456e-afc5-446050e7694b\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1E75.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F7F.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER1FAF.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Network Behavior

Snort IDS Alerts

Network Port Distribution

Windows Analysis Report
rise2406.exe