Xcitium Cloud Verdict

CREATED / DROPPED FILES

File Path	Type and Hashes
C:\Users\user\AppData\Local\Temp\Stilstandsperioden\shonkinite\nigranilin\Enlarge\tyvestykspakken.usm	Type : data MD5 : 0ca43fbee7d2abb39b43c94ee8e8ec4d SHA-1 : f6db85130d436798e702ac03d916bef0c741af10 SHA-256 : f8fc13ac66b928106b826a62a99e7e2bf1b56ba99e000e5879ba2d7b50208d17 SHA-512 : 15a0a6585d15f43706f765b28d70ac32c1a83803a76bfa04480bb3de7e21bbccee721751eaf7d29b07c3cc3c29506e3d6d89c04fa291b6fd1b032d7c636f62a0 Size : 1358.458 Kilobytes.
C:\Users\user\AppData\Local\Temp\Stilstandsperioden\shonkinite\nigranilin\Penanced.Spg	Type : data MD5 : 202e85bb7eed102f5872c9131514a1e0 SHA-1 : 83d5573b40affa6025ccbb30ee7483968d1ea9c5 SHA-256 : 7df9cafc683133f3a0170e0756c628c018ea9ac1010eeb8c84adbf85595f2f2e SHA-512 : 261f7b206dfbb554d575f22c1585db6e76196a37f12963da9f7809e12f09e501298fc7169bdedb509f18b6967be6f47c0a072180dd985d9681d4b9cbd87f2faa Size : 339.747 Kilobytes.
C:\Users\user\AppData\Local\Temp\Stilstandsperioden\shonkinite\nigranilin\Popelike\asexuality.Laa	Type : ASCII text, with very long lines, with no line terminators MD5 : 20d9cb6e9d2ce0561d7505080357ce46 SHA-1 : 4319e0c74dd8fcabc20e197d3e1da9d8e6e1777d SHA-256 : 26e9c7382888e8cd677a50fb29c49511d2a0f0896f43c209fbae7179a455a36d SHA-512 : 156d898a0830c2d76f40f1d370b7647563fe99c9d3dabbab9da123dab22c9b8eb68d44baf7c7c87fd04b53fb43ca3b655035fb2f5d948ed5d7553162635563bb Size : 70.742 Kilobytes.
C:\Users\user\AppData\Local\Temp\Stilstandsperioden\shonkinite\nigranilin\Popelike\Conscionable\constituter.tab	Type : data MD5 : eaa237d37ab023920806d41b53966a12 SHA-1 : 94c40958ccfaf687300b9567773397bdaba34df4 SHA-256 : bcea8b90cb62764f7854485b99b2cf6e0e4296c7cd04e8c5dd40b2711f29437b SHA-512 : 77ea54707e9b1a22d18d2a283da5c5cc4eefc9d9640acff1b763eafb456f7468ccbac19da42f8a471b2176edb2c6abee45fd51523672fc2980aef1c47dc9ecb5 Size : 786.803 Kilobytes.
C:\Users\Public\Videos\alfred.ini	Type : ASCII text, with CRLF line terminators MD5 : 86a672b0d851a955ab58008405e43e36 SHA-1 : 4b838b4995cc79459676bbcb408e2f4a22ca8f68 SHA-256 : 3d97f1a3681b1cae3bb160880998fd26266fe20ced3e3e7fb7f072ecbd0f83ce SHA-512 : 29f05a772036bcefe7c697973f0b12a19a78b8cc83e6b991e9024a1f73d8dab88d6ed3b2b4cc2a51da97814501b523fd11dd9812a4fdfa56ea6ced8585e40481 Size : 0.057 Kilobytes.
C:\Users\user\AppData\Local\Temp\Stilstandsperioden\shonkinite\nigranilin\Popelike\Conscionable\stdfanger.att	Type : data MD5 : ba642b9b4faae9eb6e4da87cef2fab06 SHA-1 : 2870144d71f340338dac3dba02e79e2795a1f3db SHA-256 : 5909bc3251342bb256816768f706e9b1c0a6bb0664a78856fc2b7ef15411e275 SHA-512 : 02863fac1c61e8ce1c645a6018354ce311cbad4bd78be068b566f5c7485fe3133e3b2ecb788ffb34fb9068a7ea88f280d0b94a0163d042ca081e416dddbb0ef9 Size : 1062.122 Kilobytes.
C:\Users\user\AppData\Local\Temp\Stilstandsperioden\shonkinite\nigranilin\Popelike\Conscionable\blameres.voc	Type : data MD5 : 3022025d7d7820aa8c04bee9f14a998c SHA-1 : c2cf8b847045c0e834132eb97e00135edad164de SHA-256 : f0c4afa98590028b9d733a7f58555a840f66357c41848d459f021f5f8b8b86ae SHA-512 : 760841a841048bc6056ea624adbe217e7245735826b153c2f8e859a8fab2d1786d0252449d40e44b25dcdfd9efa23c4c611420b06941beacffb9bd5e9b79585d Size : 1180.58 Kilobytes.
C:\Users\user\stimulis.lnk	Type : MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Mon Jan 1 00:00:00 1601, mtime=Mon Jan 1 00:00:00 1601, atime=Mon Jan 1 00:00:00 1601, length=0, window=hide MD5 : 139da318b1b5eafbdb7a521ff29ea298 SHA-1 : 7e99e9824f3327f811e09ffde3f359ea5088e910 SHA-256 : 9e85b46ee77e9463821f2ed32277c497de6a9b01f82c2b579d45ceebd8e44786 SHA-512 : b77a7de8f676db3eaf279bddbdea06b3f7d7935275f89261d201731818de15682fc743d594aa76e96927789f976fc3e35ae6bce07acdf8a4be8257ed8afb5386 Size : 0.882 Kilobytes.
C:\Users\user\AppData\Local\Temp\Stilstandsperioden\shonkinite\nigranilin\Enlarge\4598044bb8a3a25bac91e2a069062dce89fb7dfd.exe	Type : PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive MD5 : bc864bf3e7bf03bf665eb4e782989471 SHA-1 : 4598044bb8a3a25bac91e2a069062dce89fb7dfd SHA-256 : 4b23416ddb5edceb2bcfd5c8b16fc0b739e2d470e69a7c85a033fbbedcac520f SHA-512 : 2a9b9f5cca739f4d646668f556985f3873a37d04958f6eeec6897f6cf86bd429ce0d3cacd4d5dc5328572722bce624b31325100ce02a9f3aa0e386305dc573ff Size : 944.24 Kilobytes.
C:\Users\user\AppData\Local\Temp\Stilstandsperioden\shonkinite\nigranilin\Enlarge\viceamtsborgmestrene.txt	Type : ASCII text, with CRLF line terminators MD5 : b485cf3f7554dcd671cdcba643ddbe62 SHA-1 : 49ad28e36f41192e61355686ad18e702af3f70f4 SHA-256 : 2f790220ed451fd4396f810746114e83a8a343d8b98ebbd415b6cfe944f80e6e SHA-512 : a37b675fcad8153e528be4894a1195a5f774d30631ddc3ba2a6095750fe2d4fb70f7f2b04985f67a998a56f57e9b0c474d2e444f630082d1569fb8731edd3c09 Size : 0.452 Kilobytes.
C:\Users\user\AppData\Local\Temp\Stilstandsperioden\shonkinite\nigranilin\Popelike\afvrgningen.sky	Type : data MD5 : 08d01ed9939364dfbb50511c1ee29fd1 SHA-1 : e2b3f1dd281e24caa6767db4827215d838d87e7a SHA-256 : 51f2428993917da5647765e0f98406e2f706588a33f44b6cdb7b063386869f76 SHA-512 : 707358660ba7194b45d5ea93e895cf399b4993edecbe742953c38d1c1e04ea826369c06bc97726cf3723649b626e7b248b60bbb54e44ead35c08e5b8badf5824 Size : 600.587 Kilobytes.
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms	Type : data MD5 : 37c5a48c4c2cd54efd968c398345cb44 SHA-1 : e33d66fd1b24b69e6de9953c51c7cd1bcdef13d3 SHA-256 : ae0f088fc172cf644a1d0e02d052a46ea4f63ea5419e87710f1f583703985532 SHA-512 : 98f168ff40db9acbc34a3beb49599cd106e779307080410f8e9a730dd64cea0cd7ef7e2642a384e76c9b37797d19ec4ea22a5661bba2fdd01679916ba61abf15 Size : 8.016 Kilobytes.

MATCH YARA RULES

Match Rules

STATIC FILE INFO

File Name:	4598044bb8a3a25bac91e2a069062dce89fb7dfd
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
SHA1:	4598044bb8a3a25bac91e2a069062dce89fb7dfd
MD5:	bc864bf3e7bf03bf665eb4e782989471
First Seen Date:	2024-07-01 16:56:17.147995 ( 2024-07-01 16:56:17.147995 )
Number of Clients Seen:	6
Last Analysis Date:	2024-07-02 11:46:25.752459 ( 2024-07-02 11:46:25.752459 )
Human Expert Analysis Date:	2024-07-02 13:28:22.152832 ( 2024-07-02 13:28:22.152832 )
Human Expert Analysis Result:	Malware

PE Headers

Property	Value
magic literal enum	3
file type enum	6
debug artifacts	[]
number of sections	5
trid	[[64.5, u'Win32 Executable MS Visual C++ (generic)'], [13.6, u'Win32 Dynamic Link Library (generic)'], [9.3, u'Win32 Executable (generic)'], [4.1, u'OS/2 Executable (generic)'], [4.1, u'Generic Win/DOS Executable']]
compilation time stamp	0x5C157F01 [Sat Dec 15 22:24:01 2018 UTC]
ProductName	feerne
CompanyName	melders badian paleolithic
Translation	0x0409 0x04e4
entry point	0x4031e9 (.text)
machine type	Intel 386 or later - 32Bit
file size	944240
ssdeep	24576:rOGBWnfTjl004cgJkwrivQhUfSWSv+gCF9DR2sV:rxUTja09gaqqQhUxSM9V2s
sha256	4b23416ddb5edceb2bcfd5c8b16fc0b739e2d470e69a7c85a033fbbedcac520f
exifinfo	[{u'EXE:FileSubtype': 0, u'File:FilePermissions': u'rw-r--r--', u'SourceFile': u'/nfs-aws/fvs/valkyrie_shared/core/valkyrie_files/4/5/9/8/4598044bb8a3a25bac91e2a069062dce89fb7dfd', u'EXE:ProductName': u'feerne', u'File:MIMEType': u'application/octet-stream', u'File:FileAccessDate': u'2024:07:01 12:55:36-04:00', u'EXE:InitializedDataSize': 3782656, u'File:FileModifyDate': u'2024:07:01 12:54:59-04:00', u'EXE:FileVersionNumber': u'1.4.0.0', u'File:FileSize': u'922 kB', u'EXE:CharacterSet': u'Windows, Latin1', u'EXE:MachineType': u'Intel 386 or later, and compatibles', u'EXE:FileOS': u'Win32', u'EXE:ObjectFileType': u'Executable application', u'File:FileType': u'Win32 EXE', u'EXE:CompanyName': u'melders badian paleolithic', u'File:FileName': u'4598044bb8a3a25bac91e2a069062dce89fb7dfd', u'EXE:ImageVersion': 6.0, u'File:FileTypeExtension': u'exe', u'EXE:OSVersion': 4.0, u'EXE:PEType': u'PE32', u'EXE:TimeStamp': u'2018:12:15 17:24:01-05:00', u'EXE:FileFlagsMask': u'0x0000', u'EXE:LinkerVersion': 6.0, u'EXE:FileFlags': u'(none)', u'EXE:Subsystem': u'Windows GUI', u'File:Directory': u'/nfs-aws/fvs/valkyrie_shared/core/valkyrie_files/4/5/9/8', u'EXE:EntryPoint': u'0x31e9', u'EXE:SubsystemVersion': 4.0, u'EXE:CodeSize': 25088, u'File:FileInodeChangeDate': u'2024:07:01 12:55:11-04:00', u'EXE:UninitializedDataSize': 1024, u'EXE:LanguageCode': u'English (U.S.)', u'ExifTool:ExifToolVersion': 10.1, u'EXE:ProductVersionNumber': u'1.4.0.0'}]
mime type	application/x-dosexec
imphash	3abe302b6d9a1256e6a915429af4ffd2

File Paths

File Path on Client	Seen Count
file/to/path	1

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	MD5
.text	0x1000	0x6068	0x6200	6.45071390001	adb3e7aaafcc05f64701b4c2f6385889
.rdata	0x8000	0x1250	0x1400	5.04163613318	99b48cddaa99007d1d87676aa49e9798
.data	0xa000	0x399058	0x400	5.13238478013	f95027c0eac5eb0bf708aa96757ff20d
.ndata	0x3a4000	0x22000	0x0	0.0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	0x3c6000	0x5aa90	0x5ac00	4.19454712875	0a944c5002d43e43a46e4c5a49f345c6

PE Imports

KERNEL32.dll
- GetTempPathA
- GetFileSize
- GetModuleFileNameA
- GetCurrentProcess
- CopyFileA
- ExitProcess
- SetEnvironmentVariableA
- Sleep
- GetTickCount
- GetCommandLineA
- lstrlenA
- GetVersion
- SetErrorMode
- lstrcpynA
- GetDiskFreeSpaceA
- GlobalUnlock
- GetWindowsDirectoryA
- SetCurrentDirectoryA
- GetLastError
- CreateDirectoryA
- CreateProcessA
- RemoveDirectoryA
- CreateFileA
- GetTempFileNameA
- ReadFile
- WriteFile
- lstrcpyA
- MoveFileExA
- lstrcatA
- GetSystemDirectoryA
- GetProcAddress
- GetExitCodeProcess
- WaitForSingleObject
- CompareFileTime
- SetFileAttributesA
- GetFileAttributesA
- GetShortPathNameA
- MoveFileA
- GetFullPathNameA
- SetFileTime
- SearchPathA
- CloseHandle
- lstrcmpiA
- CreateThread
- GlobalLock
- lstrcmpA
- FindFirstFileA
- FindNextFileA
- DeleteFileA
- SetFilePointer
- GetPrivateProfileStringA
- FindClose
- MultiByteToWideChar
- FreeLibrary
- MulDiv
- WritePrivateProfileStringA
- LoadLibraryExA
- GetModuleHandleA
- GlobalAlloc
- GlobalFree
- ExpandEnvironmentStringsA
USER32.dll
- ScreenToClient
- GetSystemMenu
- SetClassLongA
- IsWindowEnabled
- SetWindowPos
- GetSysColor
- GetWindowLongA
- SetCursor
- LoadCursorA
- CheckDlgButton
- GetMessagePos
- LoadBitmapA
- CallWindowProcA
- IsWindowVisible
- CloseClipboard
- SetClipboardData
- EmptyClipboard
- PostQuitMessage
- GetWindowRect
- EnableMenuItem
- CreatePopupMenu
- GetSystemMetrics
- SetDlgItemTextA
- GetDlgItemTextA
- MessageBoxIndirectA
- CharPrevA
- DispatchMessageA
- PeekMessageA
- ReleaseDC
- EnableWindow
- InvalidateRect
- SendMessageA
- DefWindowProcA
- BeginPaint
- GetClientRect
- FillRect
- DrawTextA
- EndDialog
- RegisterClassA
- SystemParametersInfoA
- CreateWindowExA
- GetClassInfoA
- DialogBoxParamA
- CharNextA
- ExitWindowsEx
- GetDC
- CreateDialogParamA
- SetTimer
- GetDlgItem
- SetWindowLongA
- SetForegroundWindow
- LoadImageA
- IsWindow
- SendMessageTimeoutA
- FindWindowExA
- OpenClipboard
- TrackPopupMenu
- AppendMenuA
- EndPaint
- DestroyWindow
- wsprintfA
- ShowWindow
- SetWindowTextA
GDI32.dll
- SelectObject
- SetBkMode
- CreateFontIndirectA
- SetTextColor
- DeleteObject
- GetDeviceCaps
- CreateBrushIndirect
- SetBkColor
SHELL32.dll
- SHGetSpecialFolderLocation
- ShellExecuteExA
- SHGetPathFromIDListA
- SHBrowseForFolderA
- SHGetFileInfoA
- SHFileOperationA
ADVAPI32.dll
- AdjustTokenPrivileges
- RegCreateKeyExA
- RegOpenKeyExA
- SetFileSecurityA
- OpenProcessToken
- LookupPrivilegeValueA
- RegEnumValueA
- RegDeleteKeyA
- RegDeleteValueA
- RegCloseKey
- RegSetValueExA
- RegQueryValueExA
- RegEnumKeyA
COMCTL32.dll
- ImageList_Create
- ImageList_AddMasked
- ImageList_Destroy
- None
ole32.dll
- OleUninitialize
- OleInitialize
- CoTaskMemFree
- CoCreateInstance

{u'lang': u'LANG_ENGLISH', u'name': u'RT_ICON', u'offset': 3957880, u'sha256': u'914ae123d2b230484ccb8a351d99b50aff024b059c7e5e869da5b89e1400ed0d', u'type': u'dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0', u'size': 270376}

{u'lang': u'LANG_ENGLISH', u'name': u'RT_ICON', u'offset': 4228256, u'sha256': u'd9433a671e0eea301a770be87e5de4c2b4fb82a323666d62478a1172b4b2f9d5', u'type': u'dBase IV DBT, blocks size 0, block length 2048, next free block index 40, next free block 0, next used block 0', u'size': 67624}

{u'lang': u'LANG_ENGLISH', u'name': u'RT_ICON', u'offset': 4295880, u'sha256': u'd7e075d9fe4ba866051ea6355a1e14aaabd8fa5a170ebfe1002f52254a7f0651', u'type': u'data', u'size': 9640}

{u'lang': u'LANG_ENGLISH', u'name': u'RT_ICON', u'offset': 4305520, u'sha256': u'e9686cd6662c0b0af0823ac90709019b150b50a1b9d71e7da25f1880dde69ca4', u'type': u'data', u'size': 4264}

{u'lang': u'LANG_ENGLISH', u'name': u'RT_ICON', u'offset': 4309784, u'sha256': u'07003ce26d8f946b66ccae27ffca7a5934c3d1d6e5482152643340eb9ac4eb5c', u'type': u'data', u'size': 3752}

{u'lang': u'LANG_ENGLISH', u'name': u'RT_ICON', u'offset': 4313536, u'sha256': u'86414c758e75d62cbb8fb82732ed52909cab7ce51694d3e99cfc5c7be59395ba', u'type': u'data', u'size': 2440}

{u'lang': u'LANG_ENGLISH', u'name': u'RT_ICON', u'offset': 4315976, u'sha256': u'1c19529795a20280233b7ba76e8631c46b727ddf580fba91e2adb28f9a6c6856', u'type': u'dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 16579055, next used block 16118770', u'size': 2216}

{u'lang': u'LANG_ENGLISH', u'name': u'RT_ICON', u'offset': 4318192, u'sha256': u'1bac4541a38451ec6f7000e2d62d3fe9c848a23fa2f894140eac4f6613be01f2', u'type': u'data', u'size': 1736}

{u'lang': u'LANG_ENGLISH', u'name': u'RT_ICON', u'offset': 4319928, u'sha256': u'150625c5e665ec395fffd85dd05ab74e1ffb61438182644f37904f5cdd4c05cb', u'type': u'data', u'size': 1640}

{u'lang': u'LANG_ENGLISH', u'name': u'RT_ICON', u'offset': 4321568, u'sha256': u'935d8426085866fdbd878b79f86feb94b04d01174cc3290df1571dd7281e6958', u'type': u'GLS_BINARY_LSB_FIRST', u'size': 1384}

{u'lang': u'LANG_ENGLISH', u'name': u'RT_ICON', u'offset': 4322952, u'sha256': u'd9b652e38446e2c937190aac259214fb80fc7ada2c4bae48186989a57bb9eeed', u'type': u'GLS_BINARY_LSB_FIRST', u'size': 1128}

{u'lang': u'LANG_ENGLISH', u'name': u'RT_ICON', u'offset': 4324080, u'sha256': u'fcf930459a81913f64b4a5f06187ebeda88c6355eaac532aec7760dc2e5851ad', u'type': u'dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 2298019839, next used block 128', u'size': 744}

{u'lang': u'LANG_ENGLISH', u'name': u'RT_ICON', u'offset': 4324824, u'sha256': u'da2408936dbd0c1f976f45fb67d41207ca6fbb329c859d84d3dd2db4d6f9bc6a', u'type': u'data', u'size': 488}

{u'lang': u'LANG_ENGLISH', u'name': u'RT_ICON', u'offset': 4325312, u'sha256': u'63682e6cf4b81efa2a17b2a1f39ed3613a0745c536e0b695c78f118dc0144de9', u'type': u'GLS_BINARY_LSB_FIRST', u'size': 296}

{u'lang': u'LANG_ENGLISH', u'name': u'RT_DIALOG', u'offset': 4325608, u'sha256': u'fecdb955f8d7f1c219ff8167f90b64f3cb52e53337494577ff73c0ac1dafcd96', u'type': u'data', u'size': 256}

{u'lang': u'LANG_ENGLISH', u'name': u'RT_DIALOG', u'offset': 4325864, u'sha256': u'69897c784f1491eb3024b0d52c2897196a2e245974497fda1915db5fefcf8729', u'type': u'data', u'size': 284}

{u'lang': u'LANG_ENGLISH', u'name': u'RT_DIALOG', u'offset': 4326152, u'sha256': u'2d986f26ff752607366192a903078cdd7d6da06ab97309c85cd5c8cf05f823b6', u'type': u'data', u'size': 196}

{u'lang': u'LANG_ENGLISH', u'name': u'RT_DIALOG', u'offset': 4326352, u'sha256': u'85025c8556952f6a651c2468c8a0d58853b0ba482be9ad5cd3060f216540dfc0', u'type': u'data', u'size': 96}

{u'lang': u'LANG_ENGLISH', u'name': u'RT_GROUP_ICON', u'offset': 4326448, u'sha256': u'c2e09563484e00a6e450554128ff00bf104768216ef9c936e89fe7acb6f0bf5a', u'type': u'MS Windows icon resource - 14 icons, 48x48, 16 colors', u'size': 202}

{u'lang': u'LANG_ENGLISH', u'name': u'RT_VERSION', u'offset': 4326656, u'sha256': u'e2ca706c975c96edeaad16d662cf64d361d0ad120b3cfa268c75bc92b3c3a101', u'type': u'data', u'size': 356}

{u'lang': u'LANG_ENGLISH', u'name': u'RT_MANIFEST', u'offset': 4327016, u'sha256': u'e4039327090739a6754db86ef1704a8a07115ceb11719c0987a9d00a77a77f16', u'type': u'XML 1.0 document, ASCII text, with very long lines, with no line terminators', u'size': 1059}

File Name: 4598044bb8a3a25bac91e2a069062dce89fb7dfd

File Type: PE32 executable (GUI) Intel 80386, for MS Windows

SHA1: 4598044bb8a3a25bac91e2a069062dce89fb7dfd

MD5: bc864bf3e7bf03bf665eb4e782989471