Edit tour

Windows Analysis Report
WolferVPN.exe

Overview

General Information

Sample Name:	WolferVPN.exe
Analysis ID:	1352257
MD5:	6434ceafa88a3afa1f8351bc6890b2a5
SHA1:	700b43db6881bc83c6d7acb0d020283dca4fa7ba
SHA256:	db230e271893be37515e7bf1403352d99a5f8ac441c2df589551ee399dea7315
Tags:	BbyStealerexe
Infos:

Detection

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Drops PE files to the startup folder

Drops large PE files

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Drops files with a non-matching file extension (content does not match file extension)

Queries the volume information (name, serial number etc) of a device

Drops PE files

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

PE file contains sections with non-standard names

Creates a start menu entry (Start Menu\Programs\Startup)

Queries keyboard layouts

Enables security privileges

Stores files to the Windows start menu directory

PE file contains more sections than normal

Found dropped PE file which has not been started or loaded

Creates a process in suspended mode (likely to inject code)

IP address seen in connection with other malware

Searches for user specific document files

Classification

Process Tree

System is w10x64

WolferVPN.exe (PID: 1416 cmdline: C:\Users\user\Desktop\WolferVPN.exe MD5: 6434CEAFA88A3AFA1F8351BC6890B2A5)

WolferVPN.exe (PID: 6732 cmdline: "C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe" MD5: 4AD8066DFB8E65195E5733DDFD8A1AC7)

WolferVPN.exe (PID: 2328 cmdline: "C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\WolferVPN" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1680 --field-trial-handle=1684,i,1620382105047154044,16004179749874181730,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2 MD5: 4AD8066DFB8E65195E5733DDFD8A1AC7)

cmd.exe (PID: 7072 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 1224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 2708 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

WolferVPN.exe (PID: 1616 cmdline: "C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\WolferVPN" --mojo-platform-channel-handle=2204 --field-trial-handle=1684,i,1620382105047154044,16004179749874181730,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8 MD5: 4AD8066DFB8E65195E5733DDFD8A1AC7)

cmd.exe (PID: 6536 cmdline: C:\Windows\system32\cmd.exe /d /s /c "tasklist" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 4800 cmdline: tasklist MD5: D0A49A170E13D7F6AEBBEFED9DF88AAA)

Updater.exe (PID: 1948 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe" MD5: 4AD8066DFB8E65195E5733DDFD8A1AC7)

cleanup

HTTP traffic detected: POST /dns-query HTTP/1.1Host: chrome.cloudflare-dns.comConnection: keep-aliveContent-Length: 128Accept: application/dns-messageAccept-Language: *User-Agent: ChromeAccept-Encoding: identityContent-Type: application/dns-message

Source: C:\Users\user\AppData\Local\Temp\b1c3f10e-540e-46f8-9bee-83879b20c9f6.tmp.node	ReversingLabs: Detection: 40%
Source: C:\Users\user\AppData\Local\Temp\b1c3f10e-540e-46f8-9bee-83879b20c9f6.tmp.node	Virustotal: Detection: 40%			Perma Link

Source: C:\Users\user\Desktop\WolferVPN.exe	File created: C:\Users\user\AppData\Local\Temp\nsr97EA.tmp\7z-out\LICENSE.electron.txt			Jump to behavior
Source: C:\Users\user\Desktop\WolferVPN.exe	File created: C:\Users\user\AppData\Local\Programs\WolferVPN\LICENSE.electron.txt			Jump to behavior

Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Local\Programs\WolferVPN
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Local
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Local\Programs
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Local\Programs\WolferVPN\resources

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\WolferVPN.exe	File dump: WolferVPN.exe.0.dr 163343360	Jump to dropped file
Source: C:\Users\user\Desktop\WolferVPN.exe	File dump: WolferVPN.exe0.0.dr 163343360	Jump to dropped file
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File dump: Updater.exe.5.dr 163343360

Source: vulkan-1.dll0.0.dr	Static PE information: Number of sections : 11 > 10
Source: Updater.exe.5.dr	Static PE information: Number of sections : 15 > 10
Source: libEGL.dll.0.dr	Static PE information: Number of sections : 11 > 10
Source: libGLESv2.dll.0.dr	Static PE information: Number of sections : 11 > 10
Source: vk_swiftshader.dll0.0.dr	Static PE information: Number of sections : 11 > 10
Source: vk_swiftshader.dll.0.dr	Static PE information: Number of sections : 11 > 10
Source: libGLESv2.dll0.0.dr	Static PE information: Number of sections : 11 > 10
Source: vulkan-1.dll.0.dr	Static PE information: Number of sections : 11 > 10
Source: WolferVPN.exe0.0.dr	Static PE information: Number of sections : 15 > 10
Source: WolferVPN.exe.0.dr	Static PE information: Number of sections : 15 > 10
Source: libEGL.dll0.0.dr	Static PE information: Number of sections : 11 > 10

Source: unknown	Process created: C:\Users\user\Desktop\WolferVPN.exe C:\Users\user\Desktop\WolferVPN.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe "C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe"
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process created: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe "C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\WolferVPN" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1680 --field-trial-handle=1684,i,1620382105047154044,16004179749874181730,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process created: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe "C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\WolferVPN" --mojo-platform-channel-handle=2204 --field-trial-handle=1684,i,1620382105047154044,16004179749874181730,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe"
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process created: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe "C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe" --type=gpu-process --user-data-dir="C:\Users\user\AppData\Roaming\WolferVPN" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1680 --field-trial-handle=1684,i,1620382105047154044,16004179749874181730,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process created: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe "C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --user-data-dir="C:\Users\user\AppData\Roaming\WolferVPN" --mojo-platform-channel-handle=2204 --field-trial-handle=1684,i,1620382105047154044,16004179749874181730,262144 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /d /s /c "tasklist"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\tasklist.exe tasklist

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1224:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:936:120:WilError_03
Source: C:\Users\user\Desktop\WolferVPN.exe	Mutant created: \Sessions\1\BaseNamedObjects\9c1054f2-f2ad-5af7-8c3f-0bca1902f573

Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\System32\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process

Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://blog.izs.me)
Source: WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://blog.izs.me/)
Source: WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://csrc.nist.gov/publications/nistpubs/800-38D/SP-800-38D.pdf
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://digitalbazaar.com/
Source: WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://dominictarr.com)
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://evanjones.ca/)
Source: WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://feross.org
Source: WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://github.com/walling/unorm.git
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://jsperf.com/arraybuffer-to-string-apply-performance/2
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://jsperf.com/converting-a-uint8array-to-a-string/2
Source: WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://n8.io/)
Source: WolferVPN.exe, 00000000.00000000.2162028231.000000000040A000.00000008.00000001.01000000.00000003.sdmp	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://pajhome.org.uk/crypt/md5
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://seclists.org/fulldisclosure/2009/Sep/394
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stackoverflow.com/a/1068308/13216
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stuartk.com/jszip
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://stuk.github.io/jszip/documentation/howto/read_zip.html
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://substack.net
Source: WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://unicode.org/reports/tr15/
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://unix.stackexchange.com/questions/14705/the-zip-formats-external-file-attribute
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://webrsa.cvs.sourceforge.net/viewvc/webrsa/Client/RSAES-OAEP.js?content-type=text%2Fplain:
Source: WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://wiki.ecmascript.org/doku.php?id=harmony:specification_drafts#november_8_2013_draft_rev_21
Source: WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://wiki.ecmascript.org/doku.php?id=strawman:concurrency&rev=1308776521#allfulfilled
Source: WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.delorie.com/djgpp/doc/rbinter/it/52/13.html
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.delorie.com/djgpp/doc/rbinter/it/65/16.html
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.delorie.com/djgpp/doc/rbinter/it/66/16.html
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-262.pdf
Source: WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.exodus.io)
Source: WolferVPN.exe, 00000000.00000003.2261017258.0000000006460000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.fossil-scm.org/
Source: WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.futurealoof.com)
Source: WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.gnu.org/licenses/gpl-2.0-standalone.html
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.ietf.org/rfc/rfc2315.txt):
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/FAQ.html#backslashes
Source: WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.joyent.com
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.netdealing.com
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/docs/crypto/EVP_BytesToKey.html
Source: WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.rsa.com/rsalabs/node.asp?id=2125

Source: libGLESv2.dll.0.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll.0.dr	Static PE information: section name: .gxfg
Source: libGLESv2.dll.0.dr	Static PE information: section name: .retplne
Source: libGLESv2.dll.0.dr	Static PE information: section name: _RDATA
Source: vk_swiftshader.dll.0.dr	Static PE information: section name: .00cfg
Source: vk_swiftshader.dll.0.dr	Static PE information: section name: .gxfg
Source: vk_swiftshader.dll.0.dr	Static PE information: section name: .retplne
Source: vk_swiftshader.dll.0.dr	Static PE information: section name: _RDATA
Source: vulkan-1.dll.0.dr	Static PE information: section name: .00cfg
Source: vulkan-1.dll.0.dr	Static PE information: section name: .gxfg
Source: vulkan-1.dll.0.dr	Static PE information: section name: .retplne
Source: vulkan-1.dll.0.dr	Static PE information: section name: _RDATA
Source: WolferVPN.exe.0.dr	Static PE information: section name: .00cfg
Source: WolferVPN.exe.0.dr	Static PE information: section name: .gxfg
Source: WolferVPN.exe.0.dr	Static PE information: section name: .retplne
Source: WolferVPN.exe.0.dr	Static PE information: section name: .rodata
Source: WolferVPN.exe.0.dr	Static PE information: section name: CPADinfo
Source: WolferVPN.exe.0.dr	Static PE information: section name: LZMADEC
Source: WolferVPN.exe.0.dr	Static PE information: section name: _RDATA
Source: WolferVPN.exe.0.dr	Static PE information: section name: malloc_h
Source: ffmpeg.dll.0.dr	Static PE information: section name: .00cfg
Source: ffmpeg.dll.0.dr	Static PE information: section name: .gxfg
Source: ffmpeg.dll.0.dr	Static PE information: section name: .retplne
Source: ffmpeg.dll.0.dr	Static PE information: section name: _RDATA
Source: libEGL.dll.0.dr	Static PE information: section name: .00cfg
Source: libEGL.dll.0.dr	Static PE information: section name: .gxfg
Source: libEGL.dll.0.dr	Static PE information: section name: .retplne
Source: libEGL.dll.0.dr	Static PE information: section name: _RDATA
Source: libGLESv2.dll0.0.dr	Static PE information: section name: .00cfg
Source: libGLESv2.dll0.0.dr	Static PE information: section name: .gxfg
Source: libGLESv2.dll0.0.dr	Static PE information: section name: .retplne
Source: libGLESv2.dll0.0.dr	Static PE information: section name: _RDATA
Source: vk_swiftshader.dll0.0.dr	Static PE information: section name: .00cfg
Source: vk_swiftshader.dll0.0.dr	Static PE information: section name: .gxfg
Source: vk_swiftshader.dll0.0.dr	Static PE information: section name: .retplne
Source: vk_swiftshader.dll0.0.dr	Static PE information: section name: _RDATA
Source: vulkan-1.dll0.0.dr	Static PE information: section name: .00cfg
Source: vulkan-1.dll0.0.dr	Static PE information: section name: .gxfg
Source: vulkan-1.dll0.0.dr	Static PE information: section name: .retplne
Source: vulkan-1.dll0.0.dr	Static PE information: section name: _RDATA
Source: WolferVPN.exe0.0.dr	Static PE information: section name: .00cfg
Source: WolferVPN.exe0.0.dr	Static PE information: section name: .gxfg
Source: WolferVPN.exe0.0.dr	Static PE information: section name: .retplne
Source: WolferVPN.exe0.0.dr	Static PE information: section name: .rodata
Source: WolferVPN.exe0.0.dr	Static PE information: section name: CPADinfo
Source: WolferVPN.exe0.0.dr	Static PE information: section name: LZMADEC
Source: WolferVPN.exe0.0.dr	Static PE information: section name: _RDATA
Source: WolferVPN.exe0.0.dr	Static PE information: section name: malloc_h
Source: ffmpeg.dll0.0.dr	Static PE information: section name: .00cfg
Source: ffmpeg.dll0.0.dr	Static PE information: section name: .gxfg
Source: ffmpeg.dll0.0.dr	Static PE information: section name: .retplne
Source: ffmpeg.dll0.0.dr	Static PE information: section name: _RDATA
Source: libEGL.dll0.0.dr	Static PE information: section name: .00cfg
Source: libEGL.dll0.0.dr	Static PE information: section name: .gxfg
Source: libEGL.dll0.0.dr	Static PE information: section name: .retplne
Source: libEGL.dll0.0.dr	Static PE information: section name: _RDATA
Source: Updater.exe.5.dr	Static PE information: section name: .00cfg
Source: Updater.exe.5.dr	Static PE information: section name: .gxfg
Source: Updater.exe.5.dr	Static PE information: section name: .retplne
Source: Updater.exe.5.dr	Static PE information: section name: .rodata
Source: Updater.exe.5.dr	Static PE information: section name: CPADinfo
Source: Updater.exe.5.dr	Static PE information: section name: LZMADEC
Source: Updater.exe.5.dr	Static PE information: section name: _RDATA
Source: Updater.exe.5.dr	Static PE information: section name: malloc_h
Source: b1c3f10e-540e-46f8-9bee-83879b20c9f6.tmp.node.5.dr	Static PE information: section name: _RDATA
Source: 8aa2ec43-5e03-40f0-b44b-d7dcf4df059c.tmp.node.5.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\WolferVPN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WolferVPN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\WolferVPN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\tasklist.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\d0010809

Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies.bby
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data.bby
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data.bby
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.bby
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings
Source: C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	1 Windows Management Instrumentation	1 Windows Service	1 Windows Service	11 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	11 Data from Local System	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	1 Command and Scripting Interpreter	12 Registry Run Keys / Startup Folder	11 Process Injection	11 Process Injection	LSASS Memory	2 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	At	Logon Script (Windows)	12 Registry Run Keys / Startup Folder	Obfuscated Files or Information	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	3 Application Layer Protocol			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	Cron	Login Hook	Login Hook	Binary Padding	NTDS	12 File and Directory Discovery	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe	1%	Virustotal		Browse
C:\Users\user\AppData\Local\Programs\WolferVPN\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\WolferVPN\d3dcompiler_47.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Programs\WolferVPN\ffmpeg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\WolferVPN\ffmpeg.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Programs\WolferVPN\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\WolferVPN\libEGL.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Programs\WolferVPN\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\WolferVPN\libGLESv2.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Programs\WolferVPN\vk_swiftshader.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\WolferVPN\vk_swiftshader.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Programs\WolferVPN\vulkan-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Programs\WolferVPN\vulkan-1.dll	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\8aa2ec43-5e03-40f0-b44b-d7dcf4df059c.tmp.node	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\8aa2ec43-5e03-40f0-b44b-d7dcf4df059c.tmp.node	0%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\b1c3f10e-540e-46f8-9bee-83879b20c9f6.tmp.node	41%	ReversingLabs	Win64.Trojan.Generic
C:\Users\user\AppData\Local\Temp\b1c3f10e-540e-46f8-9bee-83879b20c9f6.tmp.node	40%	Virustotal		Browse
C:\Users\user\AppData\Local\Temp\nsr97EA.tmp\7z-out\WolferVPN.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr97EA.tmp\7z-out\d3dcompiler_47.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr97EA.tmp\7z-out\ffmpeg.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr97EA.tmp\7z-out\libEGL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr97EA.tmp\7z-out\libGLESv2.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr97EA.tmp\7z-out\resources\elevate.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr97EA.tmp\7z-out\vk_swiftshader.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr97EA.tmp\7z-out\vulkan-1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr97EA.tmp\SpiderBanner.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr97EA.tmp\StdUtils.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr97EA.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr97EA.tmp\nsis7z.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
rufflesrefined.com	17%	Virustotal		Browse
chrome.cloudflare-dns.com	0%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://pajhome.org.uk/crypt/md5	0%	URL Reputation	safe
https://v8.dev/docs/embed#exceptions)	0%	Virustotal		Browse
https://v8.dev/docs/embed#interceptors).	0%	Virustotal		Browse
https://v8.dev/docs/embed#interceptors).	0%	Avira URL Cloud	safe
http://stuartk.com/jszip	0%	Avira URL Cloud	safe
https://v8.dev/docs/embed#exceptions)	0%	Avira URL Cloud	safe
http://www.netdealing.com	0%	Virustotal		Browse
http://www.netdealing.com	0%	Avira URL Cloud	safe
http://digitalbazaar.com/	0%	Avira URL Cloud	safe
http://stuartk.com/jszip	0%	Virustotal		Browse
http://digitalbazaar.com/	0%	Virustotal		Browse

Name	IP	Active	Malicious	Antivirus Detection	Reputation
rufflesrefined.com	172.67.218.203	true	false	17%, Virustotal, Browse	unknown
chrome.cloudflare-dns.com	172.64.41.3	true	false	0%, Virustotal, Browse	unknown

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.netdealing.com	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://v8docs.nodesource.com/node-8.16/dc/d0a/classv8_1_1_value.html#a08fba1d776a59bbf6864b25f9152c	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/TooTallNate	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/nodejs/node/blob/v10.8.0/lib/internal/errors.js	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/mafintosh/mkdirp-classic.git	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/db/d85/classv8_1_1_object.html#a6f76b2ed605cb8f9185b92de0033	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/d5/d54/classv8_1_1_function.html#a9c3d0e4e13ddd7721fce238aa5	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/d9/d28/classv8_1_1_message.html#adbe46c10a88a6565f2732a2d2ad	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
http://seclists.org/fulldisclosure/2009/Sep/394	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/PeculiarVentures/webcrypto-core.git	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/v8/v8/wiki/Embedder%27s%20Guide#handles-and-garbage-collection).	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/de/d73/classv8_1_1_non_copyable_persistent_traits.html)	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/db/d85/classv8_1_1_object.html#ab7b7245442ca6de1e1c145ea3fd6	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.rsa.com/rsalabs/node.asp?id=2125	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/nodejs/string_decoder	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8.dev/docs/embed#interceptors).	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://github.com/PeculiarVentures/webcrypto-core#readme	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/da/da5/classv8_1_1_script_compiler.html#a93f5072a0db55d881b9	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://tools.ietf.org/html/rfc8410#section-10.3	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://www.patreon.com/feross	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/TooTallNate/util-deprecate	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/crypto-browserify/md5.js.git	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/digitalbazaar/forge	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sqlite.org/wal.html#ckpt	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/d5/dda/classv8_1_1_isolate.html#aabd223436bc1100a787dadaa024	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/dchest/tweetnacl-js	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/kkoopa	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/d5/dda/classv8_1_1_isolate.html#a542d67e85089cb3f92aadf032f9	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/db/d5f/classv8_1_1_object_template.html#a5e9612fc80bf6db8f2d	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://semver.org/	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/db/d85/classv8_1_1_object.html#af743b7ea132b89f84d34d164d066	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/d5/d54/classv8_1_1_function.html#ae477558b10c14b76ed00e8dbab	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/db/d85/classv8_1_1_object.html#a2565f03e736694f6b1e1cf22a0b4	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/d5/dda/classv8_1_1_isolate.html#ad6a2a02657f5425ad460060652a	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/da/d6a/classv8_1_1_exception.html)	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/electron/node-abi#readme	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
http://digitalbazaar.com/	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://datatracker.ietf.org/doc/html/rfc7468#section-7	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://nodejs.org/api/addons.html#addons_wrapping_c_objects)	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/d3/d95/classv8_1_1_handle_scope.html).	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/d8/d06/classv8_1_1_weak_callback_info.html)	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/endsWith	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/dominictarr/varstruct.git	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/d5/dda/classv8_1_1_isolate.html#a045d7754e62fa0ec72ae6c259b2	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sqlite.org/lang_savepoint.html	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
http://stackoverflow.com/a/1068308/13216	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/d4/dca/classv8_1_1_persistent_base.html)	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/db/d85/classv8_1_1_object.html#ab7a92b4dcf822bef72f6c0ac6fea	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/fanatid)	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/digitalbazaar/forge/blob/master/lib/asn1.js#L542	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-0.12/db/d85/classv8_1_1_object.html#acfbdfd7427b516ebdb5c47c4df5e	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/en-US/docs/JavaScript/Reference/Operators/Bitwise_Operators	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/kjur/jsjws/blob/master/rsa.js:	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.openssl.org	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/mkrufky	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/d9/db3/classv8_1_1_string_1_1_external_one_byte_string_resou	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://aka.ms/opensource/security/bounty)	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/RyanZim/universalify#readme	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/db/d5f/classv8_1_1_object_template.html#a33b3ebd7de641f6cc64	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/trevnorris	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/db/d85/classv8_1_1_object.html#a8700b1862e6b4783716964ba4d5e	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.unicode.org/copyright.html	WolferVPN.exe, 00000000.00000003.2248611287.0000000005650000.00000004.00001000.00020000.00000000.sdmp	false		high
https://developer.mozilla.org/en-US/docs/Web/API/window.crypto.getRandomValues	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/cryptocoinjs/base-x	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/RyanZim/universalify.git	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
http://stuartk.com/jszip	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://v8.dev/docs/embed#exceptions)	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://v8docs.nodesource.com/node-8.16/db/d85/classv8_1_1_object.html#ace1769b0f3b86bfe9fda10109163	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/d2/db3/classv8_1_1_string.html#a5264d50b96d2c896ce525a734dc1	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/d4/dc6/classv8_1_1_try_catch.html)	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/da/d6f/classv8_1_1_j_s_o_n.html#a936310d2540fb630ed37d3ee3ff	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/agnat	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/nodejs/nan#wg-members--collaborators	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/d5/dda/classv8_1_1_isolate.html#aeb420b690bc2c216882d6fdd00d	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
http://pajhome.org.uk/crypt/md5	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://github.com/inspiredware/napi-build-utils#readme	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
http://unicode.org/reports/tr15/	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.joyent.com	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/db/d5f/classv8_1_1_object_template.html#ad605a7543cfbc5dab54	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/db/d85/classv8_1_1_object.html#ad8b80a59c9eb3c1e6c3cd6c84571	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/d2/d78/classv8_1_1_persistent.html)	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/d5/dda/classv8_1_1_isolate.html#a5f72c7cda21415ce062bbe5c58a	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/d9/d28/classv8_1_1_message.html#a60ede616ba3822d712e44c7a744	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/sponsors/feross	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/rvagg	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/xamarin)	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/db/d85/classv8_1_1_object.html#a50d571de50d0b0dfb28795619d07	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/crypto-browserify/md5.js	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.info-zip.org/FAQ.html#backslashes	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://hackage.haskell.org/package/base/docs/Data-Maybe.html.	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/mafintosh/pump	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://sindresorhus.com	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.gnu.org/licenses/gpl-2.0-standalone.html	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/mafintosh/tar-stream.git	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-4.8/d3/d32/classv8_1_1_array.html#a1d3a878d4c1c7cae974dd50a163924	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/dd/d0d/classv8_1_1_function_callback_info.html)	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/d7/dc5/classv8_1_1_property_callback_info.html)	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://v8docs.nodesource.com/node-8.16/db/d85/classv8_1_1_object.html#a169f2da506acbec34deadd9149a1	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/mafintosh/end-of-stream	WolferVPN.exe, 00000000.00000003.2260475006.0000000005250000.00000004.00001000.00020000.00000000.sdmp	false		high
https://github.com/inspiredware/napi-build-utils#napi-build-utils).	WolferVPN.exe, 00000000.00000003.2260205445.0000000004A50000.00000004.00001000.00020000.00000000.sdmp	false		high

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report WolferVPN.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

(copy)

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data.bby

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies.bby

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data.bby

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data.bby

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies.bby

C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data.bby

C:\Users\user\AppData\Local\Programs\WolferVPN\LICENSE.electron.txt

C:\Users\user\AppData\Local\Programs\WolferVPN\LICENSES.chromium.html

C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe

C:\Users\user\AppData\Local\Programs\WolferVPN\chrome_100_percent.pak

C:\Users\user\AppData\Local\Programs\WolferVPN\chrome_200_percent.pak

C:\Users\user\AppData\Local\Programs\WolferVPN\d3dcompiler_47.dll

C:\Users\user\AppData\Local\Programs\WolferVPN\ffmpeg.dll

C:\Users\user\AppData\Local\Programs\WolferVPN\icudtl.dat

C:\Users\user\AppData\Local\Programs\WolferVPN\libEGL.dll

C:\Users\user\AppData\Local\Programs\WolferVPN\libGLESv2.dll

C:\Users\user\AppData\Local\Programs\WolferVPN\resources.pak

C:\Users\user\AppData\Local\Programs\WolferVPN\snapshot_blob.bin

C:\Users\user\AppData\Local\Programs\WolferVPN\v8_context_snapshot.bin

C:\Users\user\AppData\Local\Programs\WolferVPN\vk_swiftshader.dll

C:\Users\user\AppData\Local\Programs\WolferVPN\vk_swiftshader_icd.json

Windows Analysis Report
WolferVPN.exe

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.67.218.203	rufflesrefined.com	United States		13335	CLOUDFLARENETUS	false
172.64.41.3	chrome.cloudflare-dns.com	United States		13335	CLOUDFLARENETUS	false

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1352257
Start date and time:	2023-12-02 22:03:31 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 11s
Hypervisor based Inspection enabled:	false
Report type:	light
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	WolferVPN.exe
Detection:	MAL
Classification:	mal68.adwa.spyw.winEXE@17/107@3/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Time	Type	Description
22:04:43	API Interceptor	14x Sleep call for process: WolferVPN.exe modified
22:05:01	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe

Process:	C:\Users\user\AppData\Local\Programs\WolferVPN\WolferVPN.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	413
Entropy (8bit):	5.622417211407826
Encrypted:	false
SSDEEP:	12:YKWSg99rrt+UWikSdiO8CXBETpFFELTiJwrTM+Yi:YKWfrrtRKSIWxETpYUap
MD5:	2B7F19F2FC201FE27C212FD1632F5DDA
SHA1:	88D959B59438F87DCCE44257EF05F9F38FF4C407
SHA-256:	CEF41FE2D16205892A1DF22A2C88832466ED75A076638D012BD29A5959E5E820
SHA-512:	26F89D0351A7E37A1530056FFE60909A3384B5F3968DF3D5CFB7AEB6D72179DDE3479F69A3C2C82532CD3FF92994DF2B31B9F020ECED448C1EA796058FE93296
Malicious:	false
Reputation:	low
Preview:	{"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABSjLU7zYUkRIPDR3IKCUEYEAAAABIAAABDAGgAcgBvAG0AaQB1AG0AAAAQZgAAAAEAACAAAAAeMaPdqvU3Xbi0T02ZH5wtD6AJW8AlOVF7SGt257dJiAAAAAAOgAAAAAIAACAAAACrL85c9u6IBijPt91xlpUc9rxSaZ6fliLLRvB9E3wFYTAAAACALkhxWEeKdqOMLlkOrfGrQrslxxZx8G5wcvHtbGo2wEGeS1HHQN+nCHXfGbnY7TdAAAAAkxRJQLgHWJXOsC1ikz3GGcODiAJQkgw7OiQcZmYu6NaIuMFYO+KW4VjEkWZcTkFNCwB7H51Z8RKSyYH/uoRqlQ=="}}

Process:	C:\Users\user\Desktop\WolferVPN.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	1096
Entropy (8bit):	5.13006727705212
Encrypted:	false
SSDEEP:	24:36DiJHxRHuyPP3GtIHw1Gg9QH+sUW8Ok4F+d1o36qjFD:36DiJzfPvGt7ICQH+sfIte36AFD
MD5:	4D42118D35941E0F664DDDBD83F633C5
SHA1:	2B21EC5F20FE961D15F2B58EFB1368E66D202E5C
SHA-256:	5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
SHA-512:	3FFBBA2E4CD689F362378F6B0F6060571F57E228D3755BDD308283BE6CBBEF8C2E84BEB5FCF73E0C3C81CD944D01EE3FCF141733C4D8B3B0162E543E0B9F3E63
Malicious:	false
Preview:	Copyright (c) Electron contributors.Copyright (c) 2013-2020 GitHub Inc...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION.OF CONTRACT, TORT OR OTHERWISE, ARISIN

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.999984252619177
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	WolferVPN.exe
File size:	74'280'552 bytes
MD5:	6434ceafa88a3afa1f8351bc6890b2a5
SHA1:	700b43db6881bc83c6d7acb0d020283dca4fa7ba
SHA256:	db230e271893be37515e7bf1403352d99a5f8ac441c2df589551ee399dea7315
SHA512:	d61648811d069b6b973c234b391704ac6bc714d808f48afff5a5c39705b320cb0cc8091e6c54d18368a8b0a4187fbb0f2444f99262121145d80281bf28b9ef6a
SSDEEP:	1572864:5MpHvAncNj5mA99v/X6s/WXct35tOfMIGKID0aJvi67YoKEiakmB25:5+GcNF99Jys/WXOJtOfMIGKIwsUAhy
TLSH:	15F73309C7C66311FB848BB9A59A7317D589F238EF8022643075831E3876FEFAD69507
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................h...8...@.

Entrypoint:	0x40338f
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C157F86 [Sat Dec 15 22:26:14 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8610	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19f000	0x7330	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6627	0x6800	False	0.6646259014423077	data	6.450282348506287	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x14a2	0x1600	False	0.4405184659090909	data	5.025178929113415	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x70ff8	0x600	False	0.5182291666666666	data	4.037117731448378	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x7b000	0x124000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x19f000	0x7330	0x7400	False	0.7661974676724138	data	7.150293516996489	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x19f4a8	0x515b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9935180294809622
RT_DIALOG	0x1a4608	0x202	data	English	United States	0.4085603112840467
RT_DIALOG	0x1a4810	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x1a4908	0xee	data	English	United States	0.6260504201680672
RT_DIALOG	0x1a49f8	0x1fa	data	English	United States	0.40118577075098816
RT_DIALOG	0x1a4bf8	0xf0	data	English	United States	0.6666666666666666
RT_DIALOG	0x1a4ce8	0xe6	data	English	United States	0.6565217391304348
RT_DIALOG	0x1a4dd0	0x1ee	data	English	United States	0.38866396761133604
RT_DIALOG	0x1a4fc0	0xe4	data	English	United States	0.6447368421052632
RT_DIALOG	0x1a50a8	0xda	data	English	United States	0.6422018348623854
RT_DIALOG	0x1a5188	0x1ee	data	English	United States	0.3866396761133603
RT_DIALOG	0x1a5378	0xe4	data	English	United States	0.6359649122807017
RT_DIALOG	0x1a5460	0xda	data	English	United States	0.6376146788990825
RT_DIALOG	0x1a5540	0x1f2	data	English	United States	0.39759036144578314
RT_DIALOG	0x1a5738	0xe8	data	English	United States	0.6508620689655172
RT_DIALOG	0x1a5820	0xde	data	English	United States	0.6486486486486487
RT_DIALOG	0x1a5900	0x202	data	English	United States	0.42217898832684825
RT_DIALOG	0x1a5b08	0xf8	data	English	United States	0.6653225806451613
RT_DIALOG	0x1a5c00	0xee	data	English	United States	0.6512605042016807
RT_GROUP_ICON	0x1a5cf0	0x14	data	English	United States	1.05
RT_VERSION	0x1a5d08	0x1fc	data	English	United States	0.5039370078740157
RT_MANIFEST	0x1a5f08	0x423	XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators	English	United States	0.5127478753541076