Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
ub16vsLP6y.zip

Overview

General Information

Sample name:ub16vsLP6y.zip
renamed because original name is a hash value
Original sample name:Shared Folders 2023-Documents-185d3ad07050c2100c225b5d2de56c05.zip
Analysis ID:1514109
MD5:185d3ad07050c2100c225b5d2de56c05
SHA1:5adc8c81f93de473591b8cc028334896c2e22f16
SHA256:c12289182c24af57db335a63c77db2fec8f80b128724fa4fdfdaf6798280b324
Infos:

Detection

Remcos
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Malicious sample detected (through community Yara rule)
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Creates autostart registry keys with suspicious names
Uses cmd line tools excessively to alter registry or file data
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
HTTP GET or POST without a user agent
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Suricata IDS alerts with low severity for network traffic
Uses reg.exe to modify the Windows registry
Yara detected Keylogger Generic
Yara signature match

Classification

  • System is w10x64_ra
  • rundll32.exe (PID: 6460 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • -1-Shared 2023-Documents pdf.exe (PID: 4248 cmdline: "C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe" MD5: 4864A55CFF27F686023456A22371E790)
    • -1-Shared 2023-Documents pdf.exe (PID: 1732 cmdline: "C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe" MD5: 4864A55CFF27F686023456A22371E790)
    • cmd.exe (PID: 5532 cmdline: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 2840 cmdline: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • -1-Shared 2023-Documents pdf.exe (PID: 6944 cmdline: "C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe" MD5: 4864A55CFF27F686023456A22371E790)
    • -1-Shared 2023-Documents pdf.exe (PID: 5488 cmdline: "C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe" MD5: 4864A55CFF27F686023456A22371E790)
    • cmd.exe (PID: 5720 cmdline: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • reg.exe (PID: 1788 cmdline: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
SourceRuleDescriptionAuthorStrings
00000007.00000002.1655583711.0000000010248000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    00000007.00000002.1655583711.0000000010248000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000007.00000002.1655583711.0000000010248000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000007.00000002.1655583711.0000000010248000.00000040.00000001.01000000.00000005.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6b162:$a1: Remcos restarted by watchdog!
        • 0x6b6da:$a3: %02i:%02i:%02i:%03i
        00000007.00000002.1654569565.00000000027E0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          Click to see the 7 entries

          System Summary

          barindex
          Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll,EntryPoint, EventID: 13, EventType: SetValue, Image: C:\Windows\SysWOW64\reg.exe, ProcessId: 2840, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*UpdaterCisco
          Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f , CommandLine: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5532, ParentProcessName: cmd.exe, ProcessCommandLine: reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f , ProcessId: 2840, ProcessName: reg.exe
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit, CommandLine: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe" , ParentImage: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe, ParentProcessId: 4248, ParentProcessName: -1-Shared 2023-Documents pdf.exe, ProcessCommandLine: cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit, ProcessId: 5532, ProcessName: cmd.exe

          Stealing of Sensitive Information

          barindex
          Source: Registry Key setAuthor: Joe Security: Data: Details: 54 96 57 35 6A A2 4A 7C 67 9B AE 18 FD A7 A0 78 D2 99 D2 BE 5C 24 A9 B0 3C 81 10 9D 5A 9C 34 50 33 58 7A 5E B5 A2 6C D5 B5 A2 46 E1 CF 8C DB 33 B1 66 B8 97 77 1E F1 F0 F8 06 D5 D2 32 80 C6 D7 70 03 A6 22 37 B2 5D EE 44 58 31 7E A4 17 7D A8 68 A1 4A 13 CA 74 65 81 51 7C DB BD 32 D0 C1 98 54 9B 90 37 95 70 42 D4 77 53 21 F4 2F 29 76 54 EE 45 5F E3 33 43 85 23 4D 84 9B 08 6B 5B 2B 51 86 BD CD 55 D7 B5 D8 B4 C8 56 E4 BE 27 4E C0 7D 70 B1 91 DF 6F 27 6B 41 32 54 BC A9 32 3F A2 3A 0D FF 95 6A 42 A3 DB E1 4E 39 53 98 B7 F7 C9 3C 46 D3 F1 DB A9 D4 8B C0 B8 D0 1D D2 20 D1 AA 92 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe, ProcessId: 1732, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-ZM1M40\exepath
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-19T20:58:55.032410+020020365941Malware Command and Control Activity Detected192.168.2.1649710193.142.146.2032405TCP
          2024-09-19T20:58:55.032410+020020365941Malware Command and Control Activity Detected192.168.2.1649710193.142.146.2032405TCP
          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
          2024-09-19T20:58:56.363452+020028033043Unknown Traffic192.168.2.1649711178.237.33.5080TCP
          2024-09-19T20:58:56.363452+020028033043Unknown Traffic192.168.2.1649711178.237.33.5080TCP

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Source: Yara matchFile source: 00000007.00000002.1655583711.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.1654569565.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.1954934637.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.2121841806.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

          Exploits

          barindex
          Source: Yara matchFile source: 00000007.00000002.1655583711.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.1654569565.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

          Networking

          barindex
          Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.16:49710 -> 193.142.146.203:2405
          Source: global trafficTCP traffic: 192.168.2.16:49710 -> 193.142.146.203:2405
          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
          Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.16:49711 -> 178.237.33.50:80
          Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
          Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
          Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
          Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
          Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
          Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
          Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
          Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
          Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
          Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
          Source: unknownTCP traffic detected without corresponding DNS query: 193.142.146.203
          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
          Source: global trafficDNS traffic detected: DNS query: geoplugin.net
          Source: Yara matchFile source: 00000007.00000002.1655583711.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.1654569565.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

          E-Banking Fraud

          barindex
          Source: Yara matchFile source: 00000007.00000002.1655583711.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.1654569565.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.1954934637.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.2121841806.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Source: 00000007.00000002.1655583711.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 00000007.00000002.1654569565.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
          Source: 00000007.00000002.1654569565.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
          Source: 00000007.00000002.1654569565.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
          Source: 00000007.00000002.1655583711.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 00000007.00000002.1654569565.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
          Source: 00000007.00000002.1654569565.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
          Source: 00000007.00000002.1654569565.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
          Source: classification engineClassification label: mal96.troj.expl.winZIP@17/1@1/12
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeFile created: C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2084:120:WilError_03
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4680:120:WilError_03
          Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          Source: unknownProcess created: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe "C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe"
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeProcess created: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe "C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe"
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeProcess created: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe "C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe"
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
          Source: unknownProcess created: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe "C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe"
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeProcess created: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe "C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe"
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeProcess created: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe "C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe"
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f & exit
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: apphelp.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: wininet.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: version.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: msimg32.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: oledlg.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: k7rn7l32.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: ntd3ll.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: wldp.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: winmm.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: urlmon.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: wininet.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: iertutil.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: srvcli.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: netutils.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: iphlpapi.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: rstrtmgr.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: ncrypt.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: ntasn1.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: sspicli.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: mswsock.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: cryptsp.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: rsaenh.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: cryptbase.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: wldp.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: profapi.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: ondemandconnroutehelper.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: winhttp.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: winnsi.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: dnsapi.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: rasadhlp.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: fwpuclnt.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: wininet.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: version.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: msimg32.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: oledlg.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: k7rn7l32.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: ntd3ll.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: windows.storage.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: wldp.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: winmm.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: urlmon.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: wininet.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: iertutil.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: srvcli.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: netutils.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: iphlpapi.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: rstrtmgr.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: ncrypt.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: ntasn1.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeSection loaded: kernel.appcore.dll
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32
          Source: ub16vsLP6y.zipStatic file information: File size 67258370 > 1048576

          Persistence and Installation Behavior

          barindex
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: reg.exe

          Boot Survival

          barindex
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco
          Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run *UpdaterCisco
          Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe TID: 4180Thread sleep time: -33000s >= -30000s
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeProcess created: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe "C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe"
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*UpdaterCisco" /t REG_SZ /d "rundll32.exe C:\Users\user\Documents\CiscoUpdater000_PARTIAL.dll",EntryPoint /f
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

          Stealing of Sensitive Information

          barindex
          Source: Yara matchFile source: 00000007.00000002.1655583711.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.1654569565.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.1954934637.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.2121841806.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

          Remote Access Functionality

          barindex
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-ZM1M40
          Source: C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-ZM1M40
          Source: Yara matchFile source: 00000007.00000002.1655583711.0000000010248000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000007.00000002.1654569565.00000000027E0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000F.00000002.1954934637.0000000000DF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000008.00000002.2121841806.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
          Command and Scripting Interpreter
          11
          Registry Run Keys / Startup Folder
          11
          Process Injection
          1
          Masquerading
          OS Credential Dumping1
          Virtualization/Sandbox Evasion
          Remote ServicesData from Local System1
          Non-Standard Port
          Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading
          11
          Registry Run Keys / Startup Folder
          1
          Modify Registry
          LSASS Memory2
          System Information Discovery
          Remote Desktop ProtocolData from Removable Media1
          Remote Access Software
          Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
          DLL Side-Loading
          1
          Virtualization/Sandbox Evasion
          Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared Drive1
          Ingress Tool Transfer
          Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Disable or Modify Tools
          NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture2
          Non-Application Layer Protocol
          Traffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script11
          Process Injection
          LSA SecretsInternet Connection DiscoverySSHKeylogging2
          Application Layer Protocol
          Scheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Rundll32
          Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
          DLL Side-Loading
          DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          No Antivirus matches
          SourceDetectionScannerLabelLink
          http://geoplugin.net/json.gp0%URL Reputationsafe
          NameIPActiveMaliciousAntivirus DetectionReputation
          geoplugin.net
          178.237.33.50
          truefalse
            unknown
            NameMaliciousAntivirus DetectionReputation
            http://geoplugin.net/json.gpfalse
            • URL Reputation: safe
            unknown
            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs
            IPDomainCountryFlagASNASN NameMalicious
            193.142.146.203
            unknownNetherlands
            208046HOSTSLICK-GERMANYNLtrue
            178.237.33.50
            geoplugin.netNetherlands
            8455ATOM86-ASATOM86NLfalse
            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1514109
            Start date and time:2024-09-19 20:57:46 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:defaultwindowsinteractivecookbook.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:19
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • EGA enabled
            Analysis Mode:stream
            Analysis stop reason:Timeout
            Sample name:ub16vsLP6y.zip
            renamed because original name is a hash value
            Original Sample Name:Shared Folders 2023-Documents-185d3ad07050c2100c225b5d2de56c05.zip
            Detection:MAL
            Classification:mal96.troj.expl.winZIP@17/1@1/12
            Cookbook Comments:
            • Found application associated with file extension: .zip
            • Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe, SgrmBroker.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 184.28.90.27
            • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, e16604.g.akamaiedge.net, prod.fs.microsoft.com.akadns.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: ub16vsLP6y.zip
            Process:C:\Users\user\Desktop\ub16vsLP6y\Shared Folders 2023-Documents\-1-Shared 2023-Documents pdf.exe
            File Type:JSON data
            Category:dropped
            Size (bytes):962
            Entropy (8bit):5.013130376969173
            Encrypted:false
            SSDEEP:
            MD5:F61E5CC20FBBA892FF93BFBFC9F41061
            SHA1:36CD25DFAD6D9BC98697518D8C2F5B7E12A5864E
            SHA-256:28B330BB74B512AFBD70418465EC04C52450513D3CC8609B08B293DBEC847568
            SHA-512:5B6AD2F42A82AC91491C594714638B1EDCA26D60A9932C96CBA229176E95CA3FD2079B68449F62CBFFFFCA5DA6F4E25B7B49AF8A8696C95A4F11C54BCF451933
            Malicious:false
            Reputation:unknown
            Preview:{. "geoplugin_request":"8.46.123.33",. "geoplugin_status":200,. "geoplugin_delay":"2ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}
            File type:Zip archive data, at least v2.0 to extract, compression method=store
            Entropy (8bit):7.997794270983537
            TrID:
            • ZIP compressed archive (8000/1) 99.91%
            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.09%
            File name:ub16vsLP6y.zip
            File size:67'258'370 bytes
            MD5:185d3ad07050c2100c225b5d2de56c05
            SHA1:5adc8c81f93de473591b8cc028334896c2e22f16
            SHA256:c12289182c24af57db335a63c77db2fec8f80b128724fa4fdfdaf6798280b324
            SHA512:44c65a32236cf1f9534ebba4077c7aecec017244716736b0e33c487d9ffdbd85a93b76a35b20053ca16e765876d5ad0b9febd0a6f047bcd17f9f393cbd40e447
            SSDEEP:1572864:I/8Ep7PnCeq2FMPjeyJ445zHx6lfCdiGbHQuWCagVjhrdi6TiH:I7ZPvnM7elgzHclfUbzva2FrM2iH
            TLSH:83E733A15C2DF4241E0EE599A76E701CBDAB25B1D26F7E452DC9C403A40CEAF2874BCD
            File Content Preview:PK.........k3Y............ ...Shared Folders 2023-Documents/-/PK.........k3YT..{....ju..,...Shared Folders 2023-Documents/-/REname_mebb3.{.<\.....!....A..`...>:A.D...w.......=z.....=J.h1.F....7.9.=.....w..ky..O.?e=.=g.X,..+H.1.08BF"...:.......Z;...X{[.Ca|
            Icon Hash:1c1c1e4e4ececedc