Edit tour

Windows Analysis Report
WINNERIUM BETA.exe

Overview

General Information

Sample name:WINNERIUM BETA.exe
Analysis ID:1670618
MD5:1ea7701d7a2e8c0f3a7a50f0747c70f5
SHA1:9507198adb87b6ca820077bbeb2e61605096af9e
SHA256:d9fb39ba6319a26fda70992c1d423b1d124179c2986e4a39d28e05ccafa1f7f0
Tags:exeuser-whoise
Infos:

Detection

Score:60
Range:0 - 100
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Found direct / indirect Syscall (likely to bypass EDR)
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Entry point lies outside standard sections
JA3 SSL client fingerprint seen in connection with other malware
PE file contains sections with non-standard names

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • WINNERIUM BETA.exe (PID: 7836 cmdline: "C:\Users\user\Desktop\WINNERIUM BETA.exe" MD5: 1EA7701D7A2E8C0F3A7A50F0747C70F5)
    • conhost.exe (PID: 7844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: WINNERIUM BETA.exeReversingLabs: Detection: 50%
Source: WINNERIUM BETA.exeVirustotal: Detection: 43%Perma Link
Source: unknownHTTPS traffic detected: 45.130.41.132:443 -> 192.168.2.4:49713 version: TLS 1.2
Source: WINNERIUM BETA.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: E:\mainproj\build\Release\cheatrelease.pdb source: WINNERIUM BETA.exe, 00000000.00000002.1252076051.00007FF636A48000.00000004.00000001.01000000.00000003.sdmp
Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficHTTP traffic detected: GET /123.txt HTTP/1.1User-Agent: WinInet ExampleHost: ecl1pse.funCache-Control: no-cache
Source: global trafficDNS traffic detected: DNS query: ecl1pse.fun
Source: WINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77504000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecl1pse.fun/
Source: WINNERIUM BETA.exe, 00000000.00000002.1252060376.00007FF636A40000.00000002.00000001.01000000.00000003.sdmp, WINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77574000.00000004.00000020.00020000.00000000.sdmp, WINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C774AC000.00000004.00000020.00020000.00000000.sdmp, WINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77504000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecl1pse.fun/123.txt
Source: WINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77542000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecl1pse.fun/123.txt(
Source: WINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77504000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecl1pse.fun/123.txt-
Source: WINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77504000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecl1pse.fun/123.txt3
Source: WINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77504000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecl1pse.fun/123.txt6
Source: WINNERIUM BETA.exe, 00000000.00000002.1252060376.00007FF636A40000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://ecl1pse.fun/123.txtInternetOpenUrl
Source: WINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77504000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecl1pse.fun/123.txtJ
Source: WINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77504000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecl1pse.fun/123.txtV
Source: WINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77542000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecl1pse.fun/123.txtl
Source: WINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77504000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecl1pse.fun/n
Source: WINNERIUM BETA.exe, 00000000.00000002.1252076051.00007FF636A48000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://fontawesome.com
Source: WINNERIUM BETA.exe, 00000000.00000002.1252076051.00007FF636A48000.00000004.00000001.01000000.00000003.sdmpString found in binary or memory: https://fontawesome.comhttps://fontawesome.comFont
Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
Source: unknownHTTPS traffic detected: 45.130.41.132:443 -> 192.168.2.4:49713 version: TLS 1.2

System Summary

barindex
Source: WINNERIUM BETA.exeStatic PE information: section name: ."m>
Source: WINNERIUM BETA.exeStatic PE information: section name: .?=&
Source: WINNERIUM BETA.exeStatic PE information: section name: .p~s
Source: classification engineClassification label: mal60.evad.winEXE@2/2@1/1
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\123[1].txtJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7844:120:WilError_03
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: WINNERIUM BETA.exeReversingLabs: Detection: 50%
Source: WINNERIUM BETA.exeVirustotal: Detection: 43%
Source: unknownProcess created: C:\Users\user\Desktop\WINNERIUM BETA.exe "C:\Users\user\Desktop\WINNERIUM BETA.exe"
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: msvcp140.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: wininet.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: vcruntime140_1.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: vcruntime140.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: urlmon.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: schannel.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: mskeyprotect.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: dpapi.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeSection loaded: ncryptsslp.dllJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
Source: WINNERIUM BETA.exeStatic PE information: Image base 0x140000000 > 0x60000000
Source: WINNERIUM BETA.exeStatic file information: File size 16737792 > 1048576
Source: WINNERIUM BETA.exeStatic PE information: Raw size of .p~s is bigger than: 0x100000 < 0xff5200
Source: WINNERIUM BETA.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: E:\mainproj\build\Release\cheatrelease.pdb source: WINNERIUM BETA.exe, 00000000.00000002.1252076051.00007FF636A48000.00000004.00000001.01000000.00000003.sdmp
Source: initial sampleStatic PE information: section where entry point is pointing to: .p~s
Source: WINNERIUM BETA.exeStatic PE information: section name: ."m>
Source: WINNERIUM BETA.exeStatic PE information: section name: .?=&
Source: WINNERIUM BETA.exeStatic PE information: section name: .p~s

Hooking and other Techniques for Hiding and Protection

barindex
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeMemory written: PID: 7836 base: 7FFCC3890008 value: E9 EB D9 E9 FF Jump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeMemory written: PID: 7836 base: 7FFCC372D9F0 value: E9 20 26 16 00 Jump to behavior
Source: WINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C774AC000.00000004.00000020.00020000.00000000.sdmp, WINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77535000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeProcess information queried: ProcessInformationJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeNtOpenFile: Direct from: 0x7FF638122421Jump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeNtProtectVirtualMemory: Direct from: 0x7FF637F393FBJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeNtProtectVirtualMemory: Indirect: 0x7FF637517649Jump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeNtProtectVirtualMemory: Direct from: 0x7FF637C780B9Jump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeNtUnmapViewOfSection: Direct from: 0x7FF6380E8C17Jump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeNtProtectVirtualMemory: Direct from: 0x7FF63753C6BFJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeNtProtectVirtualMemory: Direct from: 0x7FF637F57CF9Jump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeNtMapViewOfSection: Direct from: 0x7FF637D35A6EJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeNtProtectVirtualMemory: Direct from: 0x7FF63756D82CJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeNtProtectVirtualMemory: Direct from: 0x7FF637EEED6BJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeNtProtectVirtualMemory: Direct from: 0x7FF637CE49A6Jump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeNtProtectVirtualMemory: Direct from: 0x7FF63756D3FAJump to behavior
Source: C:\Users\user\Desktop\WINNERIUM BETA.exeNtProtectVirtualMemory: Direct from: 0x7FF638121F86Jump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
DLL Side-Loading
1
Process Injection
1
Masquerading
1
Credential API Hooking
1
Security Software Discovery
Remote Services1
Credential API Hooking
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
Abuse Elevation Control Mechanism
1
Process Injection
LSASS Memory1
Process Discovery
Remote Desktop ProtocolData from Removable Media2
Non-Application Layer Protocol
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
DLL Side-Loading
1
Abuse Elevation Control Mechanism
Security Account Manager1
System Information Discovery
SMB/Windows Admin SharesData from Network Shared Drive3
Application Layer Protocol
Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput Capture1
Ingress Tool Transfer
Traffic DuplicationData Destruction
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1670618 Sample: WINNERIUM BETA.exe Startdate: 21/04/2025 Architecture: WINDOWS Score: 60 13 ecl1pse.fun 2->13 17 Multi AV Scanner detection for submitted file 2->17 19 PE file contains section with special chars 2->19 7 WINNERIUM BETA.exe 14 2->7         started        signatures3 process4 dnsIp5 15 ecl1pse.fun 45.130.41.132, 443, 49713 BEGET-ASRU Russian Federation 7->15 21 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 7->21 23 Found direct / indirect Syscall (likely to bypass EDR) 7->23 11 conhost.exe 7->11         started        signatures6 process7

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
WINNERIUM BETA.exe50%ReversingLabsWin64.Trojan.Generic
WINNERIUM BETA.exe43%VirustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
https://ecl1pse.fun/123.txtV0%Avira URL Cloudsafe
https://ecl1pse.fun/123.txtJ0%Avira URL Cloudsafe
https://ecl1pse.fun/123.txt60%Avira URL Cloudsafe
https://ecl1pse.fun/0%Avira URL Cloudsafe
https://ecl1pse.fun/n0%Avira URL Cloudsafe
https://ecl1pse.fun/123.txtl0%Avira URL Cloudsafe
https://ecl1pse.fun/123.txtInternetOpenUrl0%Avira URL Cloudsafe
https://ecl1pse.fun/123.txt0%Avira URL Cloudsafe
https://ecl1pse.fun/123.txt-0%Avira URL Cloudsafe
https://ecl1pse.fun/123.txt(0%Avira URL Cloudsafe
https://ecl1pse.fun/123.txt30%Avira URL Cloudsafe

Download Network PCAP: filteredfull

NameIPActiveMaliciousAntivirus DetectionReputation
ecl1pse.fun
45.130.41.132
truefalse
    unknown
    NameMaliciousAntivirus DetectionReputation
    https://ecl1pse.fun/123.txtfalse
    • Avira URL Cloud: safe
    unknown
    NameSourceMaliciousAntivirus DetectionReputation
    https://fontawesome.comWINNERIUM BETA.exe, 00000000.00000002.1252076051.00007FF636A48000.00000004.00000001.01000000.00000003.sdmpfalse
      high
      https://ecl1pse.fun/123.txt6WINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77504000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://ecl1pse.fun/123.txtVWINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77504000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://ecl1pse.fun/nWINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77504000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://ecl1pse.fun/123.txtInternetOpenUrlWINNERIUM BETA.exe, 00000000.00000002.1252060376.00007FF636A40000.00000002.00000001.01000000.00000003.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://ecl1pse.fun/WINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77504000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://ecl1pse.fun/123.txt(WINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77542000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://ecl1pse.fun/123.txtJWINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77504000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://ecl1pse.fun/123.txt-WINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77504000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://ecl1pse.fun/123.txtlWINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77542000.00000004.00000020.00020000.00000000.sdmpfalse
      • Avira URL Cloud: safe
      unknown
      https://fontawesome.comhttps://fontawesome.comFontWINNERIUM BETA.exe, 00000000.00000002.1252076051.00007FF636A48000.00000004.00000001.01000000.00000003.sdmpfalse
        high
        https://ecl1pse.fun/123.txt3WINNERIUM BETA.exe, 00000000.00000002.1251810995.0000015C77504000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs
        IPDomainCountryFlagASNASN NameMalicious
        45.130.41.132
        ecl1pse.funRussian Federation
        198610BEGET-ASRUfalse
        Joe Sandbox version:42.0.0 Malachite
        Analysis ID:1670618
        Start date and time:2025-04-21 23:59:16 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 4m 39s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:default.jbs
        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
        Number of analysed new started processes analysed:11
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name:WINNERIUM BETA.exe
        Detection:MAL
        Classification:mal60.evad.winEXE@2/2@1/1
        EGA Information:Failed
        HCA Information:
        • Successful, ratio: 100%
        • Number of executed functions: 0
        • Number of non-executed functions: 0
        Cookbook Comments:
        • Found application associated with file extension: .exe
        • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
        • Excluded IPs from analysis (whitelisted): 184.29.183.29, 172.202.163.200
        • Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtOpenKeyEx calls found.
        • Report size getting too big, too many NtQueryValueKey calls found.
        No simulations
        No context
        No context
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        BEGET-ASRUphishing.emlGet hashmaliciousUnknownBrowse
        • 185.50.25.45
        zZ25Km3aoh.exeGet hashmaliciousFormBookBrowse
        • 45.130.41.113
        file.exeGet hashmaliciousFormBookBrowse
        • 45.130.41.113
        njo.htaGet hashmaliciousCobalt Strike, FormBookBrowse
        • 45.130.41.113
        Purchase Order-2625.exeGet hashmaliciousFormBookBrowse
        • 5.101.152.161
        Purchase Order.exeGet hashmaliciousFormBookBrowse
        • 5.101.152.161
        Updated Price lIST.exeGet hashmaliciousFormBookBrowse
        • 45.130.41.113
        11042025-Payment-swift.exeGet hashmaliciousFormBookBrowse
        • 45.130.41.113
        PO#86637.exeGet hashmaliciousFormBookBrowse
        • 5.101.152.161
        svchost.exeGet hashmaliciousUnknownBrowse
        • 193.168.49.79
        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        37f463bf4616ecd445d4a1937da06e19BANK SLIP_SWIFT COPY-0250421_pdf.exeGet hashmaliciousGuLoaderBrowse
        • 45.130.41.132
        FA-45-04-2025.vbsGet hashmaliciousUnknownBrowse
        • 45.130.41.132
        SAMPLE_PICTURES.vbsGet hashmaliciousLodaRATBrowse
        • 45.130.41.132
        Yaura.exeGet hashmaliciousLummaC StealerBrowse
        • 45.130.41.132
        Pb11b.74652.3.exeGet hashmaliciousUnknownBrowse
        • 45.130.41.132
        MLO Ltr (AF-02)04152025_0015.docx.docGet hashmaliciousUnknownBrowse
        • 45.130.41.132
        SecuriteInfo.com.Heur.19275.5868.exeGet hashmaliciousUnknownBrowse
        • 45.130.41.132
        SecuriteInfo.com.Heur.19275.5868.exeGet hashmaliciousUnknownBrowse
        • 45.130.41.132
        SecuriteInfo.com.Win64.MalwareX-gen.18984.6671.exeGet hashmaliciousVidarBrowse
        • 45.130.41.132
        SecuriteInfo.com.Win64.MalwareX-gen.18755.16201.exeGet hashmaliciousVidarBrowse
        • 45.130.41.132
        No context
        Process:C:\Users\user\Desktop\WINNERIUM BETA.exe
        File Type:ASCII text, with no line terminators
        Category:dropped
        Size (bytes):27
        Entropy (8bit):3.7323082253324764
        Encrypted:false
        SSDEEP:3:qiVmwn:qOh
        MD5:6C313963396AFBD6AC073CB39BE0ED90
        SHA1:C1E57E22C2136EBDC192A285003C9E84979773E8
        SHA-256:CE002658B1E928176E05653E4B5431C2543747955FE241FB39D16B8F463CBC20
        SHA-512:0EE658C6D1100C30D3E034CADC64BAF604F902D023CA6DFE3A5AD5910B52EFC4D0E043226C918B1B96A4F0F0D7878BCA7B4D7811939ED1C09C86BEABF6D6307C
        Malicious:false
        Reputation:low
        Preview:vijebiteqweksteravoooolchko
        Process:C:\Users\user\Desktop\WINNERIUM BETA.exe
        File Type:ASCII text, with CRLF line terminators
        Category:dropped
        Size (bytes):44
        Entropy (8bit):4.252172175938121
        Encrypted:false
        SSDEEP:3:34FqAHMmmw2IjXy:rm3jXy
        MD5:C7DC28AA9EBA63A87749420DE2327FBD
        SHA1:A4E64D6C948B01067A2BBF768F6DC449546013EE
        SHA-256:5B5D2F98CDB2015548DD301B291983A0959AC6D98D0CAC4A70D663D8775354C8
        SHA-512:8A280CD15408CBC2039A9E955058A289C4C82533488EF86B7D8155F316E4540ABD21D80AC9AEED17E44F69124DE9CD07A1D21E0D87D5C9E7F69B34A49A617F62
        Malicious:false
        Reputation:low
        Preview:[-] vijebiteqweksteravoooolchko..[!] error..
        File type:PE32+ executable (console) x86-64, for MS Windows
        Entropy (8bit):7.893545785652754
        TrID:
        • Win64 Executable Console (202006/5) 92.65%
        • Win64 Executable (generic) (12005/4) 5.51%
        • Generic Win/DOS Executable (2004/3) 0.92%
        • DOS Executable Generic (2002/1) 0.92%
        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
        File name:WINNERIUM BETA.exe
        File size:16'737'792 bytes
        MD5:1ea7701d7a2e8c0f3a7a50f0747c70f5
        SHA1:9507198adb87b6ca820077bbeb2e61605096af9e
        SHA256:d9fb39ba6319a26fda70992c1d423b1d124179c2986e4a39d28e05ccafa1f7f0
        SHA512:1038b2e6d8f7ad69ae1988c8898cb74c8e115a8ed7a371f1f897c1a1928a3dbf344500a8bd0c60b27a9e2ae226aeea3cc8f59f397aab1fdfa046339108f3ace8
        SSDEEP:393216:5wmzURm3Tf9nGd0UiFMAE3xCNwOCFMRrIQhk2O9c6mvHo:5kaz9ADeuxMwOZrlWbA
        TLSH:10F623C2BEC5D6A4C1E64E101DC6639F219573DE81BFCF0E39CD9C032A81E658D1A7A6
        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...D..h.........."....+.....8#......S(........@..........................................`................................
        Icon Hash:90cececece8e8eb0
        Entrypoint:0x1412853d6
        Entrypoint Section:.p~s
        Digitally signed:false
        Imagebase:0x140000000
        Subsystem:windows cui
        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Time Stamp:0x6804EB44 [Sun Apr 20 12:40:36 2025 UTC]
        TLS Callbacks:
        CLR (.Net) Version:
        OS Version Major:6
        OS Version Minor:0
        File Version Major:6
        File Version Minor:0
        Subsystem Version Major:6
        Subsystem Version Minor:0
        Import Hash:2e78d66089bd48eef856d1bd3f778216
        Instruction
        inc ecx
        push esi
        dec ecx
        mov esi, 69859933h
        mov bh, 33h
        mov esi, 45669CA0h
        xor esi, esi
        push ebp
        inc ecx
        xor esi, 49B4BE93h
        inc ecx
        bswap esi
        inc cx
        not esi
        dec esp
        mov esi, dword ptr [esp+10h]
        dec eax
        mov dword ptr [esp+10h], 70F43433h
        push dword ptr [esp+08h]
        popfd
        dec eax
        lea esp, dword ptr [esp+10h]
        call 00007FCD2529F0E2h
        jnbe 00007FCD24B9A20Bh
        xlatb
        inc edx
        pushfd
        mov al, 7Ah
        NameVirtual AddressVirtual Size Is in Section
        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IMPORT0x14b20b80x154.p~s
        IMAGE_DIRECTORY_ENTRY_RESOURCE0x1aed0000x1d5.rsrc
        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x1ae7f500x3180.p~s
        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1aec0000x110.reloc
        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
        IMAGE_DIRECTORY_ENTRY_TLS0xb47b680x28.p~s
        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1ae7e100x140.p~s
        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_IAT0xaf50000x128.?=&
        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
        .text0x10000xef1c0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .rdata0x100000x75600x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .data0x180000x22b3400x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .pdata0x2440000x8100x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        ."m>0x2450000x8afbd60x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .?=&0xaf50000xae80xc0010c32a6ad012dde088ce8acafe895963False0.0439453125data0.3111563766553659IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
        .p~s0xaf60000xff50d00xff5200cce7c2a62422169da4ce04e4dc2b7122unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_NOT_PAGED, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        .reloc0x1aec0000x1100x2005508fdf9bb34c5c418ff7eac76011fe5False0.40625GLS_BINARY_LSB_FIRST2.740906682745257IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        .rsrc0x1aed0000x1d50x2005b803853f247ccae867276e1e76eb76aFalse0.53125data4.726212239845141IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
        NameRVASizeTypeLanguageCountryZLIB Complexity
        RT_MANIFEST0x1aed0580x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727
        DLLImport
        KERNEL32.dllSetConsoleTextAttribute
        ADVAPI32.dllGetTokenInformation
        SHELL32.dllShellExecuteExW
        MSVCP140.dll?good@ios_base@std@@QEBA_NXZ
        WININET.dllInternetCloseHandle
        ntdll.dllRtlVirtualUnwind
        VCRUNTIME140_1.dll__CxxFrameHandler4
        VCRUNTIME140.dll__current_exception_context
        api-ms-win-crt-runtime-l1-1-0.dll_configure_narrow_argv
        api-ms-win-crt-string-l1-1-0.dll_wcsicmp
        api-ms-win-crt-stdio-l1-1-0.dll__stdio_common_vsprintf_s
        api-ms-win-crt-heap-l1-1-0.dll_set_new_mode
        api-ms-win-crt-math-l1-1-0.dll__setusermatherr
        api-ms-win-crt-locale-l1-1-0.dll_configthreadlocale
        KERNEL32.dllGetSystemTimeAsFileTime
        KERNEL32.dllHeapAlloc, HeapFree, ExitProcess, LoadLibraryA, GetModuleHandleA, GetProcAddress
        Language of compilation systemCountry where language is spokenMap
        EnglishUnited States

        Download Network PCAP: filteredfull

        • Total Packets: 12
        • 443 (HTTPS)
        • 53 (DNS)
        TimestampSource PortDest PortSource IPDest IP
        Apr 22, 2025 00:00:19.799999952 CEST49713443192.168.2.445.130.41.132
        Apr 22, 2025 00:00:19.800033092 CEST4434971345.130.41.132192.168.2.4
        Apr 22, 2025 00:00:19.800143003 CEST49713443192.168.2.445.130.41.132
        Apr 22, 2025 00:00:19.822031975 CEST49713443192.168.2.445.130.41.132
        Apr 22, 2025 00:00:19.822051048 CEST4434971345.130.41.132192.168.2.4
        Apr 22, 2025 00:00:20.468321085 CEST4434971345.130.41.132192.168.2.4
        Apr 22, 2025 00:00:20.468584061 CEST49713443192.168.2.445.130.41.132
        Apr 22, 2025 00:00:21.009747028 CEST49713443192.168.2.445.130.41.132
        Apr 22, 2025 00:00:21.009782076 CEST4434971345.130.41.132192.168.2.4
        Apr 22, 2025 00:00:21.010145903 CEST4434971345.130.41.132192.168.2.4
        Apr 22, 2025 00:00:21.010198116 CEST49713443192.168.2.445.130.41.132
        Apr 22, 2025 00:00:21.017786980 CEST49713443192.168.2.445.130.41.132
        Apr 22, 2025 00:00:21.064271927 CEST4434971345.130.41.132192.168.2.4
        Apr 22, 2025 00:00:21.335344076 CEST4434971345.130.41.132192.168.2.4
        Apr 22, 2025 00:00:21.335398912 CEST49713443192.168.2.445.130.41.132
        Apr 22, 2025 00:00:21.335413933 CEST4434971345.130.41.132192.168.2.4
        Apr 22, 2025 00:00:21.335423946 CEST4434971345.130.41.132192.168.2.4
        Apr 22, 2025 00:00:21.335454941 CEST49713443192.168.2.445.130.41.132
        Apr 22, 2025 00:00:21.335472107 CEST49713443192.168.2.445.130.41.132
        Apr 22, 2025 00:00:21.340208054 CEST49713443192.168.2.445.130.41.132
        Apr 22, 2025 00:00:21.340226889 CEST4434971345.130.41.132192.168.2.4
        TimestampSource PortDest PortSource IPDest IP
        Apr 22, 2025 00:00:19.261337042 CEST5958653192.168.2.41.1.1.1
        Apr 22, 2025 00:00:19.778361082 CEST53595861.1.1.1192.168.2.4
        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
        Apr 22, 2025 00:00:19.261337042 CEST192.168.2.41.1.1.10x51d3Standard query (0)ecl1pse.funA (IP address)IN (0x0001)false
        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
        Apr 22, 2025 00:00:19.778361082 CEST1.1.1.1192.168.2.40x51d3No error (0)ecl1pse.fun45.130.41.132A (IP address)IN (0x0001)false
        • ecl1pse.fun
        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        0192.168.2.44971345.130.41.1324437836C:\Users\user\Desktop\WINNERIUM BETA.exe
        TimestampBytes transferredDirectionData
        2025-04-21 22:00:21 UTC98OUTGET /123.txt HTTP/1.1
        User-Agent: WinInet Example
        Host: ecl1pse.fun
        Cache-Control: no-cache
        2025-04-21 22:00:21 UTC313INHTTP/1.1 200 OK
        Server: nginx-reuseport/1.21.1
        Date: Mon, 21 Apr 2025 22:00:21 GMT
        Content-Type: text/plain
        Content-Length: 27
        Last-Modified: Sun, 20 Apr 2025 14:47:05 GMT
        Connection: close
        ETag: "680508e9-1b"
        Expires: Mon, 28 Apr 2025 22:00:21 GMT
        Cache-Control: max-age=604800
        Accept-Ranges: bytes
        2025-04-21 22:00:21 UTC27INData Raw: 76 69 6a 65 62 69 74 65 71 77 65 6b 73 74 65 72 61 76 6f 6f 6f 6f 6c 63 68 6b 6f
        Data Ascii: vijebiteqweksteravoooolchko


        050100s020406080100

        Click to jump to process

        050100s0.0010203040MB

        Click to jump to process

        Target ID:0
        Start time:18:00:14
        Start date:21/04/2025
        Path:C:\Users\user\Desktop\WINNERIUM BETA.exe
        Wow64 process (32bit):false
        Commandline:"C:\Users\user\Desktop\WINNERIUM BETA.exe"
        Imagebase:0x7ff636a30000
        File size:16'737'792 bytes
        MD5 hash:1EA7701D7A2E8C0F3A7A50F0747C70F5
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:low
        Has exited:true
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.
        There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

        Target ID:1
        Start time:18:00:15
        Start date:21/04/2025
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Imagebase:0x7ff62fc20000
        File size:862'208 bytes
        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        No disassembly