Windows Analysis Report
BRWgvKaqbg.exe

Overview

General Information

Sample name: BRWgvKaqbg.exe
renamed because original name is a hash value
Original sample name: c72e70f29d3dd8fa148df55e8e6dec43.exe
Analysis ID: 1463427
MD5: c72e70f29d3dd8fa148df55e8e6dec43
SHA1: 2f182d43528f78d6d847b37b77da9a09a2ed1f0a
SHA256: baff3039b9acf97084d1b853f495026c52a4c483d010901e226beb599d23df5b
Tags: 32exetrojan
Infos:

Detection

PureLog Stealer, RisePro Stealer, Vidar, zgRAT
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Powershell download and execute
Yara detected PureLog Stealer
Yara detected RisePro Stealer
Yara detected Vidar stealer
Yara detected zgRAT
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates multiple autostart registry keys
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after checking mutex)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found stalling execution ending in API Sleep call
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Searches for specific processes (likely to inject)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Enables security privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses the system / local time for branch decision (may execute only at specific dates)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection

barindex
Source: http://5.42.67.8/vidar2606.exe3 Avira URL Cloud: Label: phishing
Source: http://5.42.67.8/lumma2606.exe Avira URL Cloud: Label: phishing
Source: http://5.42.67.8/vidar2606.exea Avira URL Cloud: Label: phishing
Source: http://5.42.67.8/meta2606.exev Avira URL Cloud: Label: phishing
Source: http://5.42.67.8/vidar2606.exe_ Avira URL Cloud: Label: phishing
Source: http://5.42.67.8/rise2606.exeNp Avira URL Cloud: Label: phishing
Source: http://5.42.67.8/meta2606.exe Avira URL Cloud: Label: phishing
Source: http://5.42.67.8/lumma2606.exep Avira URL Cloud: Label: phishing
Source: http://5.42.67.8/vidar2606.exe Avira URL Cloud: Label: phishing
Source: http://5.42.67.8/rise2606.exe Avira URL Cloud: Label: phishing
Source: https://steamcommunity.com/profiles/76561199707802586 Avira URL Cloud: Label: malware
Source: https://t.me/g067n Avira URL Cloud: Label: malware
Source: http://5.42.67.8/vidar2606.exe- Avira URL Cloud: Label: phishing
Source: 0000002A.00000002.2301583226.000000000045F000.00000004.00000001.01000000.0000000F.sdmp Malware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199707802586", "https://t.me/g067n"], "Botnet": "6b8642176bdf6e69e18dcef863f92aad"}
Source: http://5.42.67.8/lumma2606.exe Virustotal: Detection: 17% Perma Link
Source: https://49.13.33.235:9000 Virustotal: Detection: 11% Perma Link
Source: https://49.13.33.235:9000/ Virustotal: Detection: 11% Perma Link
Source: https://49.13.33.235/0 Virustotal: Detection: 12% Perma Link
Source: http://5.42.67.8/meta2606.exe Virustotal: Detection: 17% Perma Link
Source: C:\ProgramData\MSIUpdaterV168_672d1ad293a4f876ddc1e7a924b38ed7\MSIUpdaterV168.exe ReversingLabs: Detection: 79%
Source: C:\ProgramData\MSIUpdaterV168_bf601beeeacc93e7a6f37b80206515f4\MSIUpdaterV168.exe ReversingLabs: Detection: 62%
Source: C:\ProgramData\MSIUpdaterV168_e9e7ec3f581e0402136334ffa3c9b874\MSIUpdaterV168.exe ReversingLabs: Detection: 57%
Source: C:\ProgramData\MSIUpdaterV168_fa0f5bd45309081f2cfb5ab42e0d965f\MSIUpdaterV168.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV168_672d1ad293a4f876ddc1e7a924b38ed7\AdobeUpdaterV168.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV168_bf601beeeacc93e7a6f37b80206515f4\AdobeUpdaterV168.exe ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV168_e9e7ec3f581e0402136334ffa3c9b874\AdobeUpdaterV168.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV168_fa0f5bd45309081f2cfb5ab42e0d965f\AdobeUpdaterV168.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vidar2606[1].exe ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\meta2606[1].exe ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\lumma2606[1].exe ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\rise2606[1].exe ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\hhUml7ndoUuFxb5WyDjE.exe ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\ijOeGUQOWTvL4Jd0VuCY.exe ReversingLabs: Detection: 79%
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\pQuKvF5V8lUXfe4thfRR.exe ReversingLabs: Detection: 57%
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\s7jOcwxjI7k0XEcaiYN_.exe ReversingLabs: Detection: 63%
Source: BRWgvKaqbg.exe Virustotal: Detection: 40% Perma Link
Source: BRWgvKaqbg.exe ReversingLabs: Detection: 63%
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: C:\ProgramData\MSIUpdaterV168_672d1ad293a4f876ddc1e7a924b38ed7\MSIUpdaterV168.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\AdobeUpdaterV168_672d1ad293a4f876ddc1e7a924b38ed7\AdobeUpdaterV168.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\pQuKvF5V8lUXfe4thfRR.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\rise2606[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\hhUml7ndoUuFxb5WyDjE.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\meta2606[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vidar2606[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\ijOeGUQOWTvL4Jd0VuCY.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\AdobeUpdaterV168_672d1ad293a4f876ddc1e7a924b38ed7\AdobeUpdaterV168.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MSIUpdaterV168_672d1ad293a4f876ddc1e7a924b38ed7\MSIUpdaterV168.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MSIUpdaterV168_672d1ad293a4f876ddc1e7a924b38ed7\MSIUpdaterV168.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\AdobeUpdaterV168_672d1ad293a4f876ddc1e7a924b38ed7\AdobeUpdaterV168.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\AdobeUpdaterV168_672d1ad293a4f876ddc1e7a924b38ed7\AdobeUpdaterV168.exe Joe Sandbox ML: detected
Source: C:\ProgramData\MSIUpdaterV168_672d1ad293a4f876ddc1e7a924b38ed7\MSIUpdaterV168.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\lumma2606[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\s7jOcwxjI7k0XEcaiYN_.exe Joe Sandbox ML: detected
Source: BRWgvKaqbg.exe Joe Sandbox ML: detected
Source: 43.2.RegAsm.exe.400000.1.raw.unpack String decryptor: I8S%
Source: 43.2.RegAsm.exe.400000.1.raw.unpack String decryptor: usernameField
Source: 43.2.RegAsm.exe.400000.1.raw.unpack String decryptor: a GX Stable
Source: 43.2.RegAsm.exe.400000.1.raw.unpack String decryptor: uctName
Source: 43.2.RegAsm.exe.400000.1.raw.unpack String decryptor: layVersion
Source: 43.2.RegAsm.exe.400000.1.raw.unpack String decryptor: sktop\
Source: 43.2.RegAsm.exe.400000.1.raw.unpack String decryptor: F783D5D3EF8C*
Source: 43.2.RegAsm.exe.400000.1.raw.unpack String decryptor: T=@?VDX;W:R1J )M$
Source: 43.2.RegAsm.exe.400000.1.raw.unpack String decryptor: #5EG P%:{
Source: 43.2.RegAsm.exe.400000.1.raw.unpack String decryptor: ystemInfo
Source: 43.2.RegAsm.exe.400000.1.raw.unpack String decryptor: 304FDQ8L\h$
Source: 43.2.RegAsm.exe.400000.1.raw.unpack String decryptor: %hu/%hu
Source: 43.2.RegAsm.exe.400000.1.raw.unpack String decryptor: ero\wallet.k9ys
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004C6B00 CryptUnprotectData,CryptUnprotectData,LocalFree,LocalFree, 2_2_004C6B00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_00407E41 CryptUnprotectData,LocalAlloc,LocalFree, 43_2_00407E41
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_0041302D CryptBinaryToStringA,GetProcessHeap,HeapAlloc,CryptBinaryToStringA, 43_2_0041302D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_00407DC2 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree, 43_2_00407DC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_0040AB80 memset,lstrlenA,CryptStringToBinaryA,memcpy,lstrcatA,lstrcatA,lstrcatA, 43_2_0040AB80
Source: BRWgvKaqbg.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49771 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49773 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49778 version: TLS 1.2
Source: BRWgvKaqbg.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000002.00000002.2359052796.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000002.00000002.2359052796.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: RegAsm.exe, 0000002B.00000002.4575776103.000000001C41F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002B.00000002.4582203171.0000000022398000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.43.dr
Source: C:\Users\user\Desktop\BRWgvKaqbg.exe Code function: 0_2_00589BD3 FindFirstFileExW, 0_2_00589BD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004C6000 CreateDirectoryA,FindFirstFileA,FindNextFileA,GetLastError,FindClose, 2_2_004C6000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004E6770 CreateDirectoryA,FindFirstFileA,SetFileAttributesA,DeleteFileA,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 2_2_004E6770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00493F40 SHGetFolderPathA,FindFirstFileA,FindNextFileA,FindClose,CreateDirectoryA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CreateDirectoryA,CreateDirectoryA,CopyFileA,CopyFileA, 2_2_00493F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00431F9C FindClose,FindFirstFileExW,GetLastError, 2_2_00431F9C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00432022 GetLastError,GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 2_2_00432022
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004938D0 FindFirstFileA,FindNextFileA,GetLastError,FindClose, 2_2_004938D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0044FC2F FindFirstFileExW, 2_2_0044FC2F
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\s7jOcwxjI7k0XEcaiYN_.exe Code function: 13_2_00DB9BD3 FindFirstFileExW, 13_2_00DB9BD3
Source: C:\ProgramData\MSIUpdaterV168_fa0f5bd45309081f2cfb5ab42e0d965f\MSIUpdaterV168.exe Code function: 14_2_00639BD3 FindFirstFileExW, 14_2_00639BD3
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\hhUml7ndoUuFxb5WyDjE.exe Code function: 26_2_00BE9BD3 FindFirstFileExW, 26_2_00BE9BD3
Source: C:\ProgramData\MSIUpdaterV168_bf601beeeacc93e7a6f37b80206515f4\MSIUpdaterV168.exe Code function: 33_2_00C49BD3 FindFirstFileExW, 33_2_00C49BD3
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\pQuKvF5V8lUXfe4thfRR.exe Code function: 42_2_00449BD3 FindFirstFileExW, 42_2_00449BD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_00409FC0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose, 43_2_00409FC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_00401443 FindFirstFileA,StrCmpCA,StrCmpCA,FindFirstFileA,FindNextFileA,FindClose,FindNextFileA,FindClose, 43_2_00401443
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_0040E016 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 43_2_0040E016
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_0040C039 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 43_2_0040C039
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_004164C7 wsprintfA,FindFirstFileA,memset,memset,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,memset,lstrcatA,strtok_s,strtok_s,memset,lstrcatA,strtok_s,PathMatchSpecA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,strtok_s,FindNextFileA,FindClose, 43_2_004164C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_0040BC98 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose, 43_2_0040BC98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_00416D7D wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 43_2_00416D7D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_0040D690 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlenA,FindNextFileA,FindClose, 43_2_0040D690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_0040C6B5 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA, 43_2_0040C6B5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_004177D3 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,lstrcatA,FindNextFileA,FindClose, 43_2_004177D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_0041738D GetProcessHeap,HeapAlloc,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,FindNextFileA,FindClose,lstrcatA,lstrcatA,lstrlenA,lstrlenA, 43_2_0041738D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_004169EC GetLogicalDriveStringsA,memset,GetDriveTypeA,lstrcpyA,lstrcpyA,lstrcpyA,lstrcpyA, 43_2_004169EC
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_s7jOcwxjI7k0XEca_b8c743ab1b26314ff4eb66311a29ecf38ef3b8d_a87f9504_c293dfb7-dcd6-476b-a2f9-a26394e0cfea\
Source: C:\Windows\SysWOW64\WerFault.exe File opened: C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_BRWgvKaqbg.exe_b6c6e8b22b35c86acca60f780f38ec328115af3_0005ee48_b107b2da-c7d6-4430-a6d2-0f523ea64a9c\

Networking

barindex
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49706 -> 5.42.67.8:50500
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 5.42.67.8:50500 -> 192.168.2.5:49706
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49706 -> 5.42.67.8:50500
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 5.42.67.8:50500 -> 192.168.2.5:49706
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 5.42.67.8:50500 -> 192.168.2.5:49723
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49723 -> 5.42.67.8:50500
Source: Traffic Snort IDS: 2054010 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (spitechallengddwlsv .xyz) 192.168.2.5:65207 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2054014 ET TROJAN Lumma Stealer Related CnC Domain in DNS Lookup (varitycookypowerw .xyz) 192.168.2.5:61566 -> 1.1.1.1:53
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 5.42.67.8:50500 -> 192.168.2.5:49740
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 5.42.67.8:50500 -> 192.168.2.5:49741
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49740 -> 5.42.67.8:50500
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49741 -> 5.42.67.8:50500
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 5.42.67.8:50500 -> 192.168.2.5:49755
Source: Malware configuration extractor URLs: https://steamcommunity.com/profiles/76561199707802586
Source: Malware configuration extractor URLs: https://t.me/g067n
Source: global traffic TCP traffic: 192.168.2.5:49706 -> 5.42.67.8:50500
Source: global traffic TCP traffic: 192.168.2.5:49737 -> 49.13.33.235:9000
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 04:44:18 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Wed, 26 Jun 2024 08:56:00 GMTETag: "1c3000-61bc72ef1ac6c"Accept-Ranges: bytesContent-Length: 1847296Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 04 93 d3 c8 40 f2 bd 9b 40 f2 bd 9b 40 f2 bd 9b 93 80 be 9a 51 f2 bd 9b 93 80 b8 9a e9 f2 bd 9b 93 80 b9 9a 56 f2 bd 9b 82 73 b9 9a 52 f2 bd 9b 93 80 bc 9a 47 f2 bd 9b 40 f2 bc 9b c6 f2 bd 9b 82 73 b8 9a 1c f2 bd 9b 82 73 be 9a 58 f2 bd 9b b3 70 b8 9a 41 f2 bd 9b b3 70 bf 9a 41 f2 bd 9b 52 69 63 68 40 f2 bd 9b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 93 d7 7b 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 12 02 00 00 2a 1a 00 00 00 00 00 e8 96 00 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 1c 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ac d9 02 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 1c 00 28 21 00 00 a8 ae 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 af 02 00 18 00 00 00 e8 ad 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f2 03 02 00 00 10 00 00 00 04 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 42 73 53 00 00 00 00 6d 0d 00 00 00 20 02 00 00 0e 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7a b2 00 00 00 30 02 00 00 b4 00 00 00 16 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 94 53 19 00 00 f0 02 00 00 44 19 00 00 ca 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 28 21 00 00 00 50 1c 00 00 22 00 00 00 0e 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 04:44:21 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Wed, 26 Jun 2024 08:58:12 GMTETag: "abc00-61bc736d9c154"Accept-Ranges: bytesContent-Length: 703488Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 04 93 d3 c8 40 f2 bd 9b 40 f2 bd 9b 40 f2 bd 9b 93 80 be 9a 51 f2 bd 9b 93 80 b8 9a e9 f2 bd 9b 93 80 b9 9a 56 f2 bd 9b 82 73 b9 9a 52 f2 bd 9b 93 80 bc 9a 47 f2 bd 9b 40 f2 bc 9b c6 f2 bd 9b 82 73 b8 9a 1c f2 bd 9b 82 73 be 9a 58 f2 bd 9b b3 70 b8 9a 41 f2 bd 9b b3 70 bf 9a 41 f2 bd 9b 52 69 63 68 40 f2 bd 9b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 20 d8 7b 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 12 02 00 00 b6 08 00 00 00 00 00 e8 96 00 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 0b 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ac d9 02 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 0a 00 20 21 00 00 a8 ae 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 af 02 00 18 00 00 00 e8 ad 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f2 03 02 00 00 10 00 00 00 04 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 42 73 53 00 00 00 00 6d 0d 00 00 00 20 02 00 00 0e 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7a b2 00 00 00 30 02 00 00 b4 00 00 00 16 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 94 df 07 00 00 f0 02 00 00 d0 07 00 00 ca 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 20 21 00 00 00 d0 0a 00 00 22 00 00 00 9a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 04:44:23 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Wed, 26 Jun 2024 09:00:39 GMTETag: "64600-61bc73f90cc60"Accept-Ranges: bytesContent-Length: 411136Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 04 93 d3 c8 40 f2 bd 9b 40 f2 bd 9b 40 f2 bd 9b 93 80 be 9a 51 f2 bd 9b 93 80 b8 9a e9 f2 bd 9b 93 80 b9 9a 56 f2 bd 9b 82 73 b9 9a 52 f2 bd 9b 93 80 bc 9a 47 f2 bd 9b 40 f2 bc 9b c6 f2 bd 9b 82 73 b8 9a 1c f2 bd 9b 82 73 be 9a 58 f2 bd 9b b3 70 b8 9a 41 f2 bd 9b b3 70 bf 9a 41 f2 bd 9b 52 69 63 68 40 f2 bd 9b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 63 d8 7b 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 12 02 00 00 40 04 00 00 00 00 00 e8 96 00 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 06 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ac d9 02 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 06 00 28 21 00 00 a8 ae 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 af 02 00 18 00 00 00 e8 ad 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f2 03 02 00 00 10 00 00 00 04 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 42 73 53 00 00 00 00 6d 0d 00 00 00 20 02 00 00 0e 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7a b2 00 00 00 30 02 00 00 b4 00 00 00 16 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 94 69 03 00 00 f0 02 00 00 5a 03 00 00 ca 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 28 21 00 00 00 60 06 00 00 22 00 00 00 24 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 27 Jun 2024 04:44:25 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30Last-Modified: Wed, 26 Jun 2024 09:27:05 GMTETag: "7a800-61bc79e22cb78"Accept-Ranges: bytesContent-Length: 501760Content-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 04 93 d3 c8 40 f2 bd 9b 40 f2 bd 9b 40 f2 bd 9b 93 80 be 9a 51 f2 bd 9b 93 80 b8 9a e9 f2 bd 9b 93 80 b9 9a 56 f2 bd 9b 82 73 b9 9a 52 f2 bd 9b 93 80 bc 9a 47 f2 bd 9b 40 f2 bc 9b c6 f2 bd 9b 82 73 b8 9a 1c f2 bd 9b 82 73 be 9a 58 f2 bd 9b b3 70 b8 9a 41 f2 bd 9b b3 70 bf 9a 41 f2 bd 9b 52 69 63 68 40 f2 bd 9b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 e7 de 7b 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 27 00 12 02 00 00 a2 05 00 00 00 00 00 e8 96 00 00 00 10 00 00 00 30 02 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 07 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ac d9 02 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 07 00 1c 21 00 00 a8 ae 02 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 af 02 00 18 00 00 00 e8 ad 02 00 40 00 00 00 00 00 00 00 00 00 00 00 00 30 02 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f2 03 02 00 00 10 00 00 00 04 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 42 73 53 00 00 00 00 6d 0d 00 00 00 20 02 00 00 0e 00 00 00 08 02 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 7a b2 00 00 00 30 02 00 00 b4 00 00 00 16 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 94 cb 04 00 00 f0 02 00 00 bc 04 00 00 ca 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 1c 21 00 00 00 c0 07 00 00 22 00 00 00 86 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /g067n HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 5.42.67.8 5.42.67.8
Source: Joe Sandbox View IP Address: 104.26.4.15 104.26.4.15
Source: Joe Sandbox View ASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: HEAD /rise2606.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.67.8Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /rise2606.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.67.8Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /meta2606.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.67.8Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /meta2606.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.67.8Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /vidar2606.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.67.8Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /vidar2606.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.67.8Cache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /lumma2606.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.67.8Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /lumma2606.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.67.8Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: unknown TCP traffic detected without corresponding DNS query: 5.42.67.8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004C8590 recv,WSAStartup,getaddrinfo,closesocket,socket,connect,closesocket,freeaddrinfo,WSACleanup,freeaddrinfo, 2_2_004C8590
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: ipinfo.ioConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /g067n HTTP/1.1Host: t.meConnection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /widget/demo/8.46.123.33 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=8.46.123.33 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /rise2606.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.67.8Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /meta2606.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.67.8Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /vidar2606.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.67.8Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /lumma2606.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.67.8Cache-Control: no-cache
Source: RegAsm.exe, 0000001C.00000002.2283576275.0000000002AAD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: $]q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\]q equals www.youtube.com (Youtube)
Source: RegAsm.exe, 0000001C.00000002.2283576275.0000000002AAD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: RegAsm.exe, 0000001C.00000002.2283576275.0000000002AAD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\]q equals www.youtube.com (Youtube)
Source: RegAsm.exe, 0000001C.00000002.2283576275.0000000002AAD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `,]q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: db-ip.com
Source: global traffic DNS traffic detected: DNS query: t.me
Source: RegAsm.exe, 00000002.00000002.2360684561.00000000057AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.67.8/lumma2606.exe
Source: RegAsm.exe, 00000002.00000002.2360684561.00000000057AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.67.8/lumma2606.exep
Source: RegAsm.exe, 00000002.00000002.2359052796.0000000001021000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2360684561.00000000057AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.67.8/meta2606.exe
Source: RegAsm.exe, 00000002.00000002.2360684561.00000000057AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.67.8/meta2606.exev
Source: RegAsm.exe, 00000002.00000002.2359052796.0000000001021000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2359052796.0000000000FE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.67.8/rise2606.exe
Source: RegAsm.exe, 00000002.00000002.2359052796.0000000001021000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.67.8/rise2606.exeNp
Source: RegAsm.exe, 00000002.00000002.2359052796.0000000001021000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2360684561.00000000057AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.67.8/vidar2606.exe
Source: RegAsm.exe, 00000002.00000002.2360684561.00000000057AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.67.8/vidar2606.exe-
Source: RegAsm.exe, 00000002.00000002.2360684561.00000000057AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.67.8/vidar2606.exe3
Source: RegAsm.exe, 00000002.00000002.2359052796.0000000001021000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.67.8/vidar2606.exe_
Source: RegAsm.exe, 00000002.00000002.2360684561.00000000057AB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://5.42.67.8/vidar2606.exea
Source: RegAsm.exe, 0000002B.00000002.4568930773.0000000000F4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: RegAsm.exe, 0000002B.00000002.4568930773.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en;
Source: RegAsm.exe, 00000002.00000002.2358106587.0000000000F07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.exif/1
Source: RegAsm.exe, 00000002.00000002.2358106587.0000000000F07000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.microsofo/1.2/
Source: Amcache.hve.6.dr String found in binary or memory: http://upx.sf.net
Source: RegAsm.exe, 0000002B.00000002.4575776103.000000001C41F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002B.00000002.4582423734.00000000223CD000.00000002.00001000.00020000.00000000.sdmp, sqlt[1].dll.43.dr String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: BRWgvKaqbg.exe, 00000000.00000002.2242964573.000000000059F000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, RegAsm.exe, 00000002.00000002.2356975789.0000000000400000.00000040.00000400.00020000.00000000.sdmp, s7jOcwxjI7k0XEcaiYN_.exe, 0000000D.00000002.2290987179.0000000000DCF000.00000004.00000001.01000000.00000007.sdmp, MSIUpdaterV168.exe, 0000000E.00000002.2340892843.000000000064F000.00000004.00000001.01000000.00000008.sdmp, MSIUpdaterV168.exe, 0000000F.00000002.2297891891.000000000064F000.00000004.00000001.01000000.00000008.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: RegAsm.exe, 0000002B.00000002.4569542245.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235/0
Source: RegAsm.exe, 0000002B.00000002.4569542245.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235/N
Source: RegAsm.exe, 0000002B.00000002.4569542245.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002B.00000002.4567061171.00000000005C8000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000
Source: RegAsm.exe, 0000002B.00000002.4568930773.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002B.00000002.4567061171.00000000005C8000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/
Source: RegAsm.exe, 0000002B.00000002.4570012626.000000000108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/33.235:9000/
Source: RegAsm.exe, 0000002B.00000002.4569542245.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/4)
Source: RegAsm.exe, 0000002B.00000002.4570012626.000000000108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/B
Source: RegAsm.exe, 0000002B.00000002.4570012626.000000000108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/D
Source: RegAsm.exe, 0000002B.00000002.4567061171.00000000005C8000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/al
Source: RegAsm.exe, 0000002B.00000002.4567061171.00000000005C8000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/d7b7frosoft
Source: RegAsm.exe, 0000002B.00000002.4569542245.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002B.00000002.4567061171.00000000005C8000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/freebl3.dll
Source: RegAsm.exe, 0000002B.00000002.4569542245.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/freebl3.dll-
Source: RegAsm.exe, 0000002B.00000002.4567061171.00000000005C8000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/freebl3.dllt
Source: RegAsm.exe, 0000002B.00000002.4570012626.000000000107D000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002B.00000002.4567061171.00000000005C8000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/mozglue.dll
Source: RegAsm.exe, 0000002B.00000002.4569542245.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/mozglue.dll_
Source: RegAsm.exe, 0000002B.00000002.4569542245.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/mozglue.dllc
Source: RegAsm.exe, 0000002B.00000002.4567061171.00000000005C8000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/mozglue.dllt
Source: RegAsm.exe, 0000002B.00000002.4567061171.00000000005C8000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/msvcp140.dll
Source: RegAsm.exe, 0000002B.00000002.4569542245.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/msvcp140.dllA
Source: RegAsm.exe, 0000002B.00000002.4570012626.000000000108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/msvcp140.dllD
Source: RegAsm.exe, 0000002B.00000002.4569542245.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/msvcp140.dllJ
Source: RegAsm.exe, 0000002B.00000002.4570012626.000000000108A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002B.00000002.4567061171.00000000005C8000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/nss3.dll
Source: RegAsm.exe, 0000002B.00000002.4570012626.000000000108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/nss3.dlldll
Source: RegAsm.exe, 0000002B.00000002.4567061171.00000000005C8000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/nss3.dllsoft
Source: RegAsm.exe, 0000002B.00000002.4567061171.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000002B.00000002.4569542245.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/softokn3.dll
Source: RegAsm.exe, 0000002B.00000002.4570012626.000000000108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/softokn3.dll;
Source: RegAsm.exe, 0000002B.00000002.4569542245.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/softokn3.dllf
Source: RegAsm.exe, 0000002B.00000002.4570012626.000000000108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/sqlt.dll
Source: RegAsm.exe, 0000002B.00000002.4570012626.000000000108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/sqlt.dllb
Source: RegAsm.exe, 0000002B.00000002.4567061171.000000000043F000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000002B.00000002.4570012626.000000000108A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002B.00000002.4567061171.0000000000445000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000002B.00000002.4569542245.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/vcruntime140.dll
Source: RegAsm.exe, 0000002B.00000002.4570012626.000000000108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/vcruntime140.dllB
Source: RegAsm.exe, 0000002B.00000002.4569542245.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/vcruntime140.dllH
Source: RegAsm.exe, 0000002B.00000002.4567061171.0000000000445000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/vcruntime140.dlle
Source: RegAsm.exe, 0000002B.00000002.4570012626.000000000108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/vcruntime140.dllhs
Source: RegAsm.exe, 0000002B.00000002.4570012626.000000000108A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/vcruntime140.dllppet
Source: RegAsm.exe, 0000002B.00000002.4570012626.000000000108A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002B.00000002.4569542245.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000/vcruntime140.dllt
Source: RegAsm.exe, 0000002B.00000002.4567061171.00000000005C8000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000aming
Source: RegAsm.exe, 0000002B.00000002.4567061171.00000000005C8000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000cal
Source: RegAsm.exe, 0000002B.00000002.4567061171.0000000000539000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000csrss.exe
Source: RegAsm.exe, 0000002B.00000002.4567061171.00000000005C8000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://49.13.33.235:9000tel
Source: CvldljVivtL9Web Data.2.dr, BAAEHD.43.dr, ev40y13uGHnnWeb Data.2.dr, atr5zp8nilwZWeb Data.2.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 0000001C.00000002.2283576275.0000000002AAD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.s
Source: RegAsm.exe, 0000001C.00000002.2283576275.0000000002AAD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: CvldljVivtL9Web Data.2.dr, BAAEHD.43.dr, ev40y13uGHnnWeb Data.2.dr, atr5zp8nilwZWeb Data.2.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: CvldljVivtL9Web Data.2.dr, BAAEHD.43.dr, ev40y13uGHnnWeb Data.2.dr, atr5zp8nilwZWeb Data.2.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: CvldljVivtL9Web Data.2.dr, BAAEHD.43.dr, ev40y13uGHnnWeb Data.2.dr, atr5zp8nilwZWeb Data.2.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000028.00000002.3775221694.000000000167F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: RegAsm.exe, 00000013.00000002.4254155191.00000000011CB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/1
Source: RegAsm.exe, 00000002.00000002.2359052796.0000000001021000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.4254155191.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.4254155191.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000028.00000002.3775221694.000000000167F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000028.00000002.3775221694.000000000165A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=8.46.123.33
Source: RegAsm.exe, 00000002.00000002.2359052796.0000000001021000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/x
Source: RegAsm.exe, 00000013.00000002.4254155191.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000028.00000002.3775221694.0000000001644000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33
Source: RegAsm.exe, 00000002.00000002.2359052796.0000000001021000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=8.46.123.33J
Source: RegAsm.exe, 0000001C.00000002.2283576275.0000000002B61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://discord.com/api/v9/users/
Source: CvldljVivtL9Web Data.2.dr, BAAEHD.43.dr, ev40y13uGHnnWeb Data.2.dr, atr5zp8nilwZWeb Data.2.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: CvldljVivtL9Web Data.2.dr, BAAEHD.43.dr, ev40y13uGHnnWeb Data.2.dr, atr5zp8nilwZWeb Data.2.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: CvldljVivtL9Web Data.2.dr, BAAEHD.43.dr, ev40y13uGHnnWeb Data.2.dr, atr5zp8nilwZWeb Data.2.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: RegAsm.exe, 00000013.00000002.4253708166.000000000115A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000028.00000002.3774884245.00000000015F3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000028.00000002.3775221694.000000000167F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000028.00000002.3775221694.0000000001644000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000028.00000002.3774884245.00000000015FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: RegAsm.exe, 00000028.00000002.3774884245.00000000015FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/=
Source: RegAsm.exe, 00000002.00000002.2359052796.0000000000FC9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/I
Source: RegAsm.exe, 00000002.00000002.2359052796.0000000001021000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.4254155191.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000028.00000002.3775221694.0000000001644000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: BRWgvKaqbg.exe, 00000000.00000002.2242964573.000000000059F000.00000004.00000001.01000000.00000003.sdmp, RegAsm.exe, 00000002.00000002.2356975789.0000000000400000.00000040.00000400.00020000.00000000.sdmp, s7jOcwxjI7k0XEcaiYN_.exe, 0000000D.00000002.2290987179.0000000000DCF000.00000004.00000001.01000000.00000007.sdmp, MSIUpdaterV168.exe, 0000000E.00000002.2340892843.000000000064F000.00000004.00000001.01000000.00000008.sdmp, MSIUpdaterV168.exe, 0000000F.00000002.2297891891.000000000064F000.00000004.00000001.01000000.00000008.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: RegAsm.exe, 00000028.00000002.3774884245.00000000015EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33
Source: RegAsm.exe, 00000013.00000002.4254155191.0000000001188000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33?G
Source: RegAsm.exe, 00000013.00000002.4253708166.000000000112A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.33j
Source: RegAsm.exe, 00000002.00000002.2359052796.0000000001021000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000013.00000002.4254155191.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000028.00000002.3775221694.0000000001644000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/8.46.123.33
Source: pQuKvF5V8lUXfe4thfRR.exe, 0000002A.00000002.2301583226.000000000045F000.00000004.00000001.01000000.0000000F.sdmp, RegAsm.exe, RegAsm.exe, 0000002B.00000002.4567061171.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199707802586
Source: pQuKvF5V8lUXfe4thfRR.exe, 0000002A.00000002.2301583226.000000000045F000.00000004.00000001.01000000.0000000F.sdmp, RegAsm.exe, 0000002B.00000002.4567061171.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199707802586hellosqlt.dllsqlite3.dll
Source: 3b6N2Xdh3CYwplaces.sqlite.2.dr String found in binary or memory: https://support.mozilla.org
Source: 3b6N2Xdh3CYwplaces.sqlite.2.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: 3b6N2Xdh3CYwplaces.sqlite.2.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: RegAsm.exe, 00000028.00000002.3775221694.000000000165A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.K
Source: RegAsm.exe, 0000002B.00000002.4568930773.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/
Source: RegAsm.exe, 00000013.00000002.4253708166.000000000112A000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000028.00000002.3774884245.00000000015BA000.00000004.00000020.00020000.00000000.sdmp, ZAu2iiJBgBZikoF1oNNHtbO.zip.2.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RegAsm.exe, 00000028.00000002.3774884245.00000000015BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT&nd
Source: pQuKvF5V8lUXfe4thfRR.exe, 0000002A.00000002.2301583226.000000000045F000.00000004.00000001.01000000.0000000F.sdmp, RegAsm.exe, RegAsm.exe, 0000002B.00000002.4567061171.0000000000400000.00000040.00000400.00020000.00000000.sdmp, RegAsm.exe, 0000002B.00000002.4569542245.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 0000002B.00000002.4568930773.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/g067n
Source: pQuKvF5V8lUXfe4thfRR.exe, 0000002A.00000002.2301583226.000000000045F000.00000004.00000001.01000000.0000000F.sdmp, RegAsm.exe, 0000002B.00000002.4567061171.0000000000400000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://t.me/g067nry1neMozilla/5.0
Source: RegAsm.exe, 00000028.00000002.3775221694.000000000167F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro
Source: RegAsm.exe, 00000028.00000002.3775221694.000000000167F000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000028.00000002.3775969962.0000000005A65000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.2.dr String found in binary or memory: https://t.me/risepro_bot
Source: RegAsm.exe, 00000002.00000002.2359052796.0000000001021000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: RegAsm.exe, 00000028.00000002.3775221694.000000000167F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botlater3
Source: RegAsm.exe, 0000002B.00000002.4569542245.0000000000FC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web.telegram.org
Source: CvldljVivtL9Web Data.2.dr, BAAEHD.43.dr, ev40y13uGHnnWeb Data.2.dr, atr5zp8nilwZWeb Data.2.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: CvldljVivtL9Web Data.2.dr, BAAEHD.43.dr, ev40y13uGHnnWeb Data.2.dr, atr5zp8nilwZWeb Data.2.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: 3b6N2Xdh3CYwplaces.sqlite.2.dr String found in binary or memory: https://www.mozilla.org
Source: 3b6N2Xdh3CYwplaces.sqlite.2.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: 3b6N2Xdh3CYwplaces.sqlite.2.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: RegAsm.exe, 00000002.00000002.2360684561.000000000571B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2359052796.000000000107A000.00000004.00000020.00020000.00000000.sdmp, Firefox_v6zchhhv.default-release.txt.2.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: RegAsm.exe, 00000002.00000002.2360684561.0000000005757000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.2.dr, 3b6N2Xdh3CYwplaces.sqlite.2.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 3b6N2Xdh3CYwplaces.sqlite.2.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000002.00000002.2360684561.0000000005757000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.2.dr, 3b6N2Xdh3CYwplaces.sqlite.2.dr String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: RegAsm.exe, 00000002.00000002.2360684561.000000000571B000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2359052796.000000000107A000.00000004.00000020.00020000.00000000.sdmp, Firefox_v6zchhhv.default-release.txt.2.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: RegAsm.exe, 00000002.00000002.2360684561.0000000005757000.00000004.00000020.00020000.00000000.sdmp, D87fZN3R3jFeplaces.sqlite.2.dr, 3b6N2Xdh3CYwplaces.sqlite.2.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: RegAsm.exe, 00000002.00000002.2359052796.000000000107A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/txtx
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49777
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49776
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49775
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49774
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49773
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49772
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 49775 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49776 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49777 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49773 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49778 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown Network traffic detected: HTTP traffic on port 49774 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49772 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49778
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 149.154.167.99:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49771 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49772 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49773 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49774 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49775 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49776 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49777 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.4.15:443 -> 192.168.2.5:49778 version: TLS 1.2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004E5FF0 GdiplusStartup,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,DeleteObject,GdipDisposeImage,DeleteObject,ReleaseDC,GdiplusShutdown, 2_2_004E5FF0
Source: RegAsm.exe, 0000001C.00000002.2283576275.0000000002CA8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetRawInputData memstr_e84ee4f5-a

System Summary

barindex
Source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 26.2.hhUml7ndoUuFxb5WyDjE.exe.bd0000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 33.2.MSIUpdaterV168.exe.c30000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: 35.2.MSIUpdaterV168.exe.c30000.0.unpack, type: UNPACKEDPE Matched rule: Detects zgRAT Author: ditekSHen
Source: Process Memory Space: pQuKvF5V8lUXfe4thfRR.exe PID: 7288, type: MEMORYSTR Matched rule: Detects Molerats sample - July 2017 Author: Florian Roth
Source: C:\Users\user\Desktop\BRWgvKaqbg.exe Code function: 0_2_005928F0 0_2_005928F0
Source: C:\Users\user\Desktop\BRWgvKaqbg.exe Code function: 0_2_0058C207 0_2_0058C207
Source: C:\Users\user\Desktop\BRWgvKaqbg.exe Code function: 0_2_00588D09 0_2_00588D09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0044002D 2_2_0044002D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004C00A0 2_2_004C00A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004A6250 2_2_004A6250
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004AA200 2_2_004AA200
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040A2C0 2_2_0040A2C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0050A2B0 2_2_0050A2B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004BE3C0 2_2_004BE3C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004963B0 2_2_004963B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004DE430 2_2_004DE430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004B84D0 2_2_004B84D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004FA480 2_2_004FA480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00514550 2_2_00514550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00490600 2_2_00490600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004E06D0 2_2_004E06D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004986B0 2_2_004986B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004A88B0 2_2_004A88B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004FA930 2_2_004FA930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004E4BD0 2_2_004E4BD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004FAD00 2_2_004FAD00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0049AF60 2_2_0049AF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004DF030 2_2_004DF030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0049F0D0 2_2_0049F0D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0049D3A0 2_2_0049D3A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0053F550 2_2_0053F550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004B3600 2_2_004B3600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004D7600 2_2_004D7600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004B1630 2_2_004B1630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00495790 2_2_00495790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0040B8E0 2_2_0040B8E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0048BAC8 2_2_0048BAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004ADB20 2_2_004ADB20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00481C10 2_2_00481C10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00409C90 2_2_00409C90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004F7D00 2_2_004F7D00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00493F40 2_2_00493F40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004C1F20 2_2_004C1F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_005220D0 2_2_005220D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004F60E0 2_2_004F60E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004EE170 2_2_004EE170
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0048611D 2_2_0048611D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00512260 2_2_00512260
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0044036F 2_2_0044036F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004A4320 2_2_004A4320
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_005083F6 2_2_005083F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004F0450 2_2_004F0450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004845E0 2_2_004845E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004F85F0 2_2_004F85F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004547BF 2_2_004547BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00548840 2_2_00548840
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004F2820 2_2_004F2820
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0043C960 2_2_0043C960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00546970 2_2_00546970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0043A928 2_2_0043A928
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_005489CB 2_2_005489CB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00548983 2_2_00548983
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00548A53 2_2_00548A53
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00548A69 2_2_00548A69
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004F8B40 2_2_004F8B40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00458BB0 2_2_00458BB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004EEC40 2_2_004EEC40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00548C8D 2_2_00548C8D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00534D40 2_2_00534D40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00546D20 2_2_00546D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00548D85 2_2_00548D85
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00548DA7 2_2_00548DA7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00548E26 2_2_00548E26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0053AE20 2_2_0053AE20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00458E30 2_2_00458E30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00506EA0 2_2_00506EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00516EA0 2_2_00516EA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004ECF20 2_2_004ECF20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004F2FD0 2_2_004F2FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0054901B 2_2_0054901B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00493080 2_2_00493080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004371A0 2_2_004371A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_005031A0 2_2_005031A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0054923A 2_2_0054923A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004A9380 2_2_004A9380
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004D1450 2_2_004D1450
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0042F580 2_2_0042F580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004D3600 2_2_004D3600
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004A3610 2_2_004A3610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004CF6F0 2_2_004CF6F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00547760 2_2_00547760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004F7730 2_2_004F7730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004E77E0 2_2_004E77E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_005397B0 2_2_005397B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004F7960 2_2_004F7960
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0047B970 2_2_0047B970
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004EF9A0 2_2_004EF9A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004CBAC0 2_2_004CBAC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0044DA86 2_2_0044DA86
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0051DBB0 2_2_0051DBB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004EFC40 2_2_004EFC40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004F7C00 2_2_004F7C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00503CC0 2_2_00503CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004F9D70 2_2_004F9D70
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00545DE0 2_2_00545DE0
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\s7jOcwxjI7k0XEcaiYN_.exe Code function: 13_2_00DC28F0 13_2_00DC28F0
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\s7jOcwxjI7k0XEcaiYN_.exe Code function: 13_2_00DB8D09 13_2_00DB8D09
Source: C:\ProgramData\MSIUpdaterV168_fa0f5bd45309081f2cfb5ab42e0d965f\MSIUpdaterV168.exe Code function: 14_2_006428F0 14_2_006428F0
Source: C:\ProgramData\MSIUpdaterV168_fa0f5bd45309081f2cfb5ab42e0d965f\MSIUpdaterV168.exe Code function: 14_2_0063C207 14_2_0063C207
Source: C:\ProgramData\MSIUpdaterV168_fa0f5bd45309081f2cfb5ab42e0d965f\MSIUpdaterV168.exe Code function: 14_2_00638D09 14_2_00638D09
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\hhUml7ndoUuFxb5WyDjE.exe Code function: 26_2_00BF28F0 26_2_00BF28F0
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\hhUml7ndoUuFxb5WyDjE.exe Code function: 26_2_00BE8D09 26_2_00BE8D09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_028E7742 28_2_028E7742
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_028E7750 28_2_028E7750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 28_2_028E7498 28_2_028E7498
Source: C:\ProgramData\MSIUpdaterV168_bf601beeeacc93e7a6f37b80206515f4\MSIUpdaterV168.exe Code function: 33_2_00C528F0 33_2_00C528F0
Source: C:\ProgramData\MSIUpdaterV168_bf601beeeacc93e7a6f37b80206515f4\MSIUpdaterV168.exe Code function: 33_2_00C48D09 33_2_00C48D09
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\pQuKvF5V8lUXfe4thfRR.exe Code function: 42_2_004528F0 42_2_004528F0
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\pQuKvF5V8lUXfe4thfRR.exe Code function: 42_2_0044C207 42_2_0044C207
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\pQuKvF5V8lUXfe4thfRR.exe Code function: 42_2_00448D09 42_2_00448D09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_0041ECEC 43_2_0041ECEC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_0041E919 43_2_0041E919
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_0041EEC1 43_2_0041EEC1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_0041F6CF 43_2_0041F6CF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_22194CF0 43_2_22194CF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_2220A0B0 43_2_2220A0B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_2218209F 43_2_2218209F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_221966C0 43_2_221966C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_221847AF 43_2_221847AF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_221AA560 43_2_221AA560
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_2227A590 43_2_2227A590
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_2218AA40 43_2_2218AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_2218EA80 43_2_2218EA80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_222BE800 43_2_222BE800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_22183E3B 43_2_22183E3B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_2218481D 43_2_2218481D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_2229A900 43_2_2229A900
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_2227A940 43_2_2227A940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_222669C0 43_2_222669C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_2235AEBE 43_2_2235AEBE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_221C6E80 43_2_221C6E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_221E2EE0 43_2_221E2EE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_221819DD 43_2_221819DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_221B3370 43_2_221B3370
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_2218174E 43_2_2218174E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_2218F160 43_2_2218F160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_221ABAB0 43_2_221ABAB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_221B7810 43_2_221B7810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_2218251D 43_2_2218251D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_2218290A 43_2_2218290A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_22183AB2 43_2_22183AB2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_222A8030 43_2_222A8030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_22200090 43_2_22200090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_22208120 43_2_22208120
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_221A8680 43_2_221A8680
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_22218760 43_2_22218760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_221A8763 43_2_221A8763
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_221E4760 43_2_221E4760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_222C0480 43_2_222C0480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_22284A60 43_2_22284A60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_2218C800 43_2_2218C800
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_22181EF1 43_2_22181EF1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_221BCE10 43_2_221BCE10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_221A8D2A 43_2_221A8D2A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_2235D209 43_2_2235D209
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_222153B0 43_2_222153B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_22183580 43_2_22183580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_22199000 43_2_22199000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_222A5040 43_2_222A5040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_22229690 43_2_22229690
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_2223D6D0 43_2_2223D6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_222E9430 43_2_222E9430
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_2218D4C0 43_2_2218D4C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_222A9A20 43_2_222A9A20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_22182018 43_2_22182018
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_22181C9E 43_2_22181C9E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_22235940 43_2_22235940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_22182AA9 43_2_22182AA9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_221812A8 43_2_221812A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_2218292D 43_2_2218292D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_221B1C50 43_2_221B1C50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 43_2_222E9CC0 43_2_222E9CC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process token adjusted: Security
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\hhUml7ndoUuFxb5WyDjE.exe Code function: String function: 00BDA150 appears 49 times
Source: C:\ProgramData\MSIUpdaterV168_bf601beeeacc93e7a6f37b80206515f4\MSIUpdaterV168.exe Code function: String function: 00C3A150 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\s7jOcwxjI7k0XEcaiYN_.exe Code function: String function: 00DAA150 appears 49 times
Source: C:\ProgramData\MSIUpdaterV168_fa0f5bd45309081f2cfb5ab42e0d965f\MSIUpdaterV168.exe Code function: String function: 0062A150 appears 49 times
Source: C:\Users\user\Desktop\BRWgvKaqbg.exe Code function: String function: 0057A150 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\spanmA1X5YS12PoP\pQuKvF5V8lUXfe4thfRR.exe Code function: String function: 0043A150 appears 49 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00547510 appears 110 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 22181F5A appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 22183AF3 appears 37 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 22181C2B appears 47 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 2218395E appears 81 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00402CF0 appears 112 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 223606B1 appears 36 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 0041ACE0 appears 146 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00404239 appears 287 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 2218415B appears 173 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: String function: 00434380 appears 57 times
Source: C:\Users\user\Desktop\BRWgvKaqbg.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6664 -s 280
Source: BRWgvKaqbg.exe, 00000000.00000002.2242964573.000000000059F000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamedotnet.exe6 vs BRWgvKaqbg.exe
Source: BRWgvKaqbg.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 28.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 26.2.hhUml7ndoUuFxb5WyDjE.exe.bd0000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 33.2.MSIUpdaterV168.exe.c30000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 35.2.MSIUpdaterV168.exe.c30000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: Process Memory Space: pQuKvF5V8lUXfe4thfRR.exe PID: 7288, type: MEMORYSTR Matched rule: Molerats_Jul17_Sample_5 date = 2017-07-07, hash1 = ebf2423b9de131eab1c61ac395cbcfc2ac3b15bd9c83b96ae0a48619a4a38d0a, author = Florian Roth, description = Detects Molerats sample - July 2017, reference = https://mymalwareparty.blogspot.de/2017/07/operation-desert-eagle.html, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: BRWgvKaqbg.exe Static PE information: Section: .data ZLIB complexity 0.9968492723794063
Source: rise2606[1].exe.2.dr Static PE information: Section: .data ZLIB complexity 0.9968492723794063
Source: s7jOcwxjI7k0XEcaiYN_.exe.2.dr Static PE information: Section: .data ZLIB complexity 0.9968492723794063
Source: AdobeUpdaterV168.exe.2.dr Static PE information: Section: .data ZLIB complexity 0.9968492723794063
Source: MSIUpdaterV168.exe.2.dr Static PE information: Section: .data ZLIB complexity 0.9968492723794063
Source: meta2606[1].exe.2.dr Static PE information: Section: .data ZLIB complexity 0.989236328125
Source: hhUml7ndoUuFxb5WyDjE.exe.2.dr Static PE information: Section: .data ZLIB complexity 0.989236328125
Source: AdobeUpdaterV168.exe0.2.dr Static PE information: Section: .data ZLIB complexity 0.989236328125
Source: MSIUpdaterV168.exe0.2.dr Static PE information: Section: .data ZLIB complexity 0.989236328125
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@63/67@4/5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_005447E0 GetLastError,GetVersionExA,FormatMessageW,LocalFree,FormatMessageA, 2_2_005447E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_00544DE0 GetVersionExA,CreateFileW,CreateFileA,GetDiskFreeSpaceW,GetDiskFreeSpaceA, 2_2_00544DE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_004E06D0 CreateDirectoryA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetCurrentHwProfileA,GetModuleHandleExA,GetModuleFileNameA,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetComputerNameA,GetUserNameA,GetDesktopWindow,GetWindowRect,GetUserDefaultLocaleName,GetKeyboardLayoutList,GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,GetLocalTime,GetSystemTime,GetTimeZoneInformation,TzSpecificLocalTimeToSystemTime,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,GetSystemInfo,GlobalMemoryStatusEx,EnumDisplayDevicesA,EnumDisplayDevicesA,CreateToolhelp32Snapshot,Process32First,Process32Next,Process32Next,CloseHandle,RegOpenKeyExA,RegEnumKeyExA,wsprintfA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,RegCloseKey, 2_2_004E06D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Code function: 2_2_0048BAC8 CopyFileA,RegOpenKeyExA,RegSetValueExA,RegCloseKey,CopyFileA,GetUserNameA,CopyFileA,SHGetFolderPathA,CoInitialize,CoCreateInstance,MultiByteToWideChar,CoUninitialize,ShellExecuteA, 2_2_0048BAC8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Mutant created: NULL
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7288
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5888:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2820:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7212:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5388:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3148:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6664
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7148