Windows Analysis Report
cp.exe

Overview

General Information

Sample name: cp.exe
Analysis ID: 1467845
MD5: 024547ee3841ed6035b7bb9866452713
SHA1: 8f1c8a12cecaeb4f15f3d2a3332073a0b1aefb36
SHA256: f89e565d3e73984e9b538fba979c8798f06775706cde8ecd1a921c61fecf2d28
Tags: exe
Infos:

Detection

Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

AI detected suspicious sample
Found direct / indirect Syscall (likely to bypass EDR)
Found hidden mapped module (file has been removed from disk)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection
barindex
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\udmxic Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\uwlocrmqutuaw Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\dpijo Joe Sandbox ML: detected
Uses 32bit PE files
Source: cp.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Binary string: colorui.pdb source: cp.exe, 00000000.00000002.2019674190.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp, cp.exe, 00000000.00000002.2019674190.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2152639067.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2152639067.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2149618787.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2149618787.0000000000B39000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ESENTPRF.pdb source: explorer.exe, explorer.exe, 0000000D.00000002.4458119225.0000000000196000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374192088.0000000000196000.00000008.00000001.01000000.00000000.sdmp, udmxic.2.dr, uwlocrmqutuaw.7.dr, dpijo.9.dr
Source: Binary string: colorui.pdbGCTL source: cp.exe, 00000000.00000002.2019674190.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp, cp.exe, 00000000.00000002.2019674190.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2152639067.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2152639067.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2149618787.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2149618787.0000000000B39000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: cp.exe, 00000000.00000002.2019837042.0000000002689000.00000004.00000020.00020000.00000000.sdmp, cp.exe, 00000000.00000002.2021503139.0000000004418000.00000004.00000001.00020000.00000000.sdmp, cp.exe, 00000000.00000002.2020806103.0000000003580000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302996226.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302726527.0000000004575000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2154092117.00000000043EB000.00000004.00000001.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153934424.0000000004030000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153409342.0000000003209000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2150080420.00000000026EC000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2150781023.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151832009.000000000449B000.00000004.00000001.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283739232.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283963987.0000000004F70000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373785405.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373570599.0000000004698000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2304116293.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303998761.0000000004A58000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458857086.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458511694.0000000004E46000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374585925.0000000004A50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374373592.00000000045D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: cp.exe, 00000000.00000002.2019837042.0000000002689000.00000004.00000020.00020000.00000000.sdmp, cp.exe, 00000000.00000002.2021503139.0000000004418000.00000004.00000001.00020000.00000000.sdmp, cp.exe, 00000000.00000002.2020806103.0000000003580000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302996226.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302726527.0000000004575000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2154092117.00000000043EB000.00000004.00000001.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153934424.0000000004030000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153409342.0000000003209000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2150080420.00000000026EC000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2150781023.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151832009.000000000449B000.00000004.00000001.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283739232.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283963987.0000000004F70000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373785405.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373570599.0000000004698000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2304116293.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303998761.0000000004A58000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458857086.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458511694.0000000004E46000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374585925.0000000004A50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374373592.00000000045D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\sveinar\Desktop\DiskState\Src Tutorial\Release\DSTutorial.pdb source: cp.exe
Source: Binary string: ESENTPRF.pdbGCTL source: comp.exe, 00000002.00000002.2303280052.0000000005470000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2284172565.0000000005930000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373972550.0000000005470000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303752148.00000000029E6000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458119225.0000000000196000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374192088.0000000000196000.00000008.00000001.01000000.00000000.sdmp, udmxic.2.dr, uwlocrmqutuaw.7.dr, dpijo.9.dr
Source: Binary string: C:\Users\sveinar\Desktop\DiskState\Src Tutorial\Release\DSTutorial.pdbq source: cp.exe
Creates COM task schedule object (often to register a task for autostart)
Source: C:\Windows\SysWOW64\comp.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD} Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0016A6F4 FindFirstFileExW, 13_2_0016A6F4
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00136320 WSAStartup,getaddrinfo,WSACleanup,socket,connect,closesocket,freeaddrinfo,send,closesocket,WSACleanup,recv,closesocket,WSACleanup,closesocket,WSACleanup, 13_2_00136320
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: cp.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: cp.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: cp.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: cp.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: cp.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: cp.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: cp.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: cp.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: cp.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: cp.exe String found in binary or memory: http://ocsp.digicert.com0
Source: cp.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: cp.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0L
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0O
Source: cp.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://s2.symcb.com0
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://sv.symcd.com0&
Source: cp.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: cp.exe, 00000000.00000002.2020947430.0000000003806000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.00000000048DF000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.0000000003470000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003883000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004E59000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.00000000049FC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.0000000004913000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051A3000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.0000000004934000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.info-zip.org/
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/cps0(
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.symauth.com/rpa00
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.vmware.com/0/
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/cps0%
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://d.symcb.com/rpa0
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302842443.0000000004928000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153537719.00000000036FD000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151012365.0000000003B10000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283875549.0000000004EA2000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373700226.0000000004A45000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303902668.000000000495C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458719837.00000000051EC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00136F30 OpenClipboard,GetClipboardData,CloseClipboard,std::locale::_Init,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard, 13_2_00136F30
Contains functionality to modify clipboard data
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00136F30 OpenClipboard,GetClipboardData,CloseClipboard,std::locale::_Init,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard, 13_2_00136F30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00136F30 OpenClipboard,GetClipboardData,CloseClipboard,std::locale::_Init,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard, 13_2_00136F30
Contains functionality to read the clipboard data
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00136F30 OpenClipboard,GetClipboardData,CloseClipboard,std::locale::_Init,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard, 13_2_00136F30
Creates files inside the system directory
Source: C:\Windows\SysWOW64\comp.exe File created: C:\Windows\Tasks\CefSharp.BrowserSubprocess.job Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00136F30 13_2_00136F30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0015F0BA 13_2_0015F0BA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00136F30 13_2_00136F30
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0013117A 13_2_0013117A
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00140190 13_2_00140190
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0014B23D 13_2_0014B23D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0015F381 13_2_0015F381
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0013D560 13_2_0013D560
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_001685A7 13_2_001685A7
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0015F63C 13_2_0015F63C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0014D9E1 13_2_0014D9E1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0014AA57 13_2_0014AA57
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0015FA50 13_2_0015FA50
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0015EA9E 13_2_0015EA9E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0016CAF0 13_2_0016CAF0
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0013DB00 13_2_0013DB00
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00142B40 13_2_00142B40
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0014FDE1 13_2_0014FDE1
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0015EE10 13_2_0015EE10
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00145E13 13_2_00145E13
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00168E29 13_2_00168E29
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00135F80 13_2_00135F80
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 001470F2 appears 34 times
Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 001473A2 appears 82 times
Source: C:\Windows\SysWOW64\explorer.exe Code function: String function: 00147820 appears 45 times
PE / OLE file has an invalid certificate
Source: cp.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: cp.exe, 00000000.00000002.2020077540.00000000031A3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameDSTutorial.exeF vs cp.exe
Source: cp.exe, 00000000.00000002.2020806103.00000000036AD000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs cp.exe
Source: cp.exe, 00000000.00000000.1999918428.00000000007B3000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameDSTutorial.exeF vs cp.exe
Source: cp.exe, 00000000.00000002.2021503139.000000000453B000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs cp.exe
Source: cp.exe, 00000000.00000002.2019674190.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamecolorui.dllj% vs cp.exe
Source: cp.exe, 00000000.00000002.2020947430.0000000003A93000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenamezip.exe( vs cp.exe
Source: cp.exe Binary or memory string: OriginalFilenameDSTutorial.exeF vs cp.exe
Uses 32bit PE files
Source: cp.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: classification engine Classification label: mal72.evad.winEXE@18/10@0/0
Source: C:\Windows\SysWOW64\comp.exe File created: C:\Users\user\AppData\Roaming\Obcloud Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6348:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2576:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6524:120:WilError_03
Source: C:\Windows\SysWOW64\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\OperaGxLaunchHelperInter
Source: C:\Users\user\Desktop\cp.exe File created: C:\Users\user\AppData\Local\Temp\a4108ad7 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\comp.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\comp.exe Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\comp.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Process created: C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: cp.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cp.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\cp.exe File read: C:\Users\user\Desktop\cp.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\cp.exe "C:\Users\user\Desktop\cp.exe"
Source: C:\Users\user\Desktop\cp.exe Process created: C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\comp.exe
Source: C:\Windows\SysWOW64\comp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe
Source: unknown Process created: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Process created: C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\comp.exe
Source: C:\Windows\SysWOW64\comp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Process created: C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\comp.exe
Source: C:\Windows\SysWOW64\comp.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\comp.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\comp.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\comp.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\cp.exe Process created: C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\comp.exe Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Process created: C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\comp.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Process created: C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\comp.exe Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\Desktop\cp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\cp.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\cp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\cp.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\cp.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\cp.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\cp.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\Desktop\cp.exe Section loaded: colorui.dll Jump to behavior
Source: C:\Users\user\Desktop\cp.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Users\user\Desktop\cp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\cp.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Users\user\Desktop\cp.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: bitsproxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: colorui.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: colorui.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: mscms.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: coloradapterclient.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: wer.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Section loaded: shdocvw.dll Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: cp.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: cp.exe Static file information: File size 4385800 > 1048576
Source: cp.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x14d200
Source: cp.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x28ce00
Source: cp.exe Static PE information: More than 200 imports for USER32.dll
Source: cp.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: colorui.pdb source: cp.exe, 00000000.00000002.2019674190.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp, cp.exe, 00000000.00000002.2019674190.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2152639067.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2152639067.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2149618787.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2149618787.0000000000B39000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ESENTPRF.pdb source: explorer.exe, explorer.exe, 0000000D.00000002.4458119225.0000000000196000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374192088.0000000000196000.00000008.00000001.01000000.00000000.sdmp, udmxic.2.dr, uwlocrmqutuaw.7.dr, dpijo.9.dr
Source: Binary string: colorui.pdbGCTL source: cp.exe, 00000000.00000002.2019674190.0000000000AB9000.00000004.00000020.00020000.00000000.sdmp, cp.exe, 00000000.00000002.2019674190.0000000000AF2000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2152639067.0000000000A09000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2152639067.0000000000A43000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2149618787.0000000000B00000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2149618787.0000000000B39000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdbUGP source: cp.exe, 00000000.00000002.2019837042.0000000002689000.00000004.00000020.00020000.00000000.sdmp, cp.exe, 00000000.00000002.2021503139.0000000004418000.00000004.00000001.00020000.00000000.sdmp, cp.exe, 00000000.00000002.2020806103.0000000003580000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302996226.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302726527.0000000004575000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2154092117.00000000043EB000.00000004.00000001.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153934424.0000000004030000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153409342.0000000003209000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2150080420.00000000026EC000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2150781023.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151832009.000000000449B000.00000004.00000001.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283739232.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283963987.0000000004F70000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373785405.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373570599.0000000004698000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2304116293.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303998761.0000000004A58000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458857086.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458511694.0000000004E46000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374585925.0000000004A50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374373592.00000000045D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: cp.exe, 00000000.00000002.2019837042.0000000002689000.00000004.00000020.00020000.00000000.sdmp, cp.exe, 00000000.00000002.2021503139.0000000004418000.00000004.00000001.00020000.00000000.sdmp, cp.exe, 00000000.00000002.2020806103.0000000003580000.00000004.00000800.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302996226.0000000004A00000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 00000002.00000002.2302726527.0000000004575000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2154092117.00000000043EB000.00000004.00000001.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153934424.0000000004030000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000005.00000002.2153409342.0000000003209000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2150080420.00000000026EC000.00000004.00000020.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2150781023.00000000035C0000.00000004.00000800.00020000.00000000.sdmp, AacAmbientLighting.exe, 00000006.00000002.2151832009.000000000449B000.00000004.00000001.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283739232.0000000004AF5000.00000004.00000020.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2283963987.0000000004F70000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373785405.0000000004B10000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373570599.0000000004698000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2304116293.0000000004DB0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303998761.0000000004A58000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458857086.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458511694.0000000004E46000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374585925.0000000004A50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374373592.00000000045D7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\sveinar\Desktop\DiskState\Src Tutorial\Release\DSTutorial.pdb source: cp.exe
Source: Binary string: ESENTPRF.pdbGCTL source: comp.exe, 00000002.00000002.2303280052.0000000005470000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 00000007.00000002.2284172565.0000000005930000.00000004.00001000.00020000.00000000.sdmp, comp.exe, 00000009.00000002.2373972550.0000000005470000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2303752148.00000000029E6000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000D.00000002.4458119225.0000000000196000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000E.00000002.2374192088.0000000000196000.00000008.00000001.01000000.00000000.sdmp, udmxic.2.dr, uwlocrmqutuaw.7.dr, dpijo.9.dr
Source: Binary string: C:\Users\sveinar\Desktop\DiskState\Src Tutorial\Release\DSTutorial.pdbq source: cp.exe
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_001560B5 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 13_2_001560B5
PE file contains an invalid checksum
Source: cp.exe Static PE information: real checksum: 0x43c315 should be: 0x43cb15
Source: udmxic.2.dr Static PE information: real checksum: 0x0 should be: 0x641a2
Source: uwlocrmqutuaw.7.dr Static PE information: real checksum: 0x0 should be: 0x641a2
Source: dpijo.9.dr Static PE information: real checksum: 0x0 should be: 0x641a2
PE file contains sections with non-standard names
Source: udmxic.2.dr Static PE information: section name: hwmn
Source: uwlocrmqutuaw.7.dr Static PE information: section name: hwmn
Source: dpijo.9.dr Static PE information: section name: hwmn
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0014737C push ecx; ret 13_2_0014738F
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00147866 push ecx; ret 13_2_00147879
Drops PE files
Source: C:\Windows\SysWOW64\comp.exe File created: C:\Users\user\AppData\Local\Temp\dpijo Jump to dropped file
Source: C:\Windows\SysWOW64\comp.exe File created: C:\Users\user\AppData\Local\Temp\udmxic Jump to dropped file
Source: C:\Windows\SysWOW64\comp.exe File created: C:\Users\user\AppData\Local\Temp\uwlocrmqutuaw Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\comp.exe File created: C:\Users\user\AppData\Local\Temp\udmxic Jump to dropped file
Source: C:\Windows\SysWOW64\comp.exe File created: C:\Users\user\AppData\Local\Temp\uwlocrmqutuaw Jump to dropped file
Source: C:\Windows\SysWOW64\comp.exe File created: C:\Users\user\AppData\Local\Temp\dpijo Jump to dropped file
Creates job files (autostart)
Source: C:\Windows\SysWOW64\comp.exe File created: C:\Windows\Tasks\CefSharp.BrowserSubprocess.job Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Found hidden mapped module (file has been removed from disk)
Source: C:\Windows\SysWOW64\comp.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\UDMXIC
Source: C:\Windows\SysWOW64\comp.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\UWLOCRMQUTUAW
Source: C:\Windows\SysWOW64\comp.exe Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\DPIJO
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00145E13 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 13_2_00145E13
Source: C:\Users\user\Desktop\cp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\conhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\cp.exe API/Special instruction interceptor: Address: 6E577B27
Source: C:\Users\user\Desktop\cp.exe API/Special instruction interceptor: Address: 6E57781D
Source: C:\Windows\SysWOW64\comp.exe API/Special instruction interceptor: Address: 6E573B97
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe API/Special instruction interceptor: Address: 6E577B27
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe API/Special instruction interceptor: Address: 6E57781D
Source: C:\Windows\SysWOW64\explorer.exe API/Special instruction interceptor: Address: 49A317
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\explorer.exe Window / User API: threadDelayed 2233 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe Window / User API: threadDelayed 7765 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\comp.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\dpijo Jump to dropped file
Source: C:\Windows\SysWOW64\comp.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\udmxic Jump to dropped file
Source: C:\Windows\SysWOW64\comp.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\uwlocrmqutuaw Jump to dropped file
Found evasive API chain (date check)
Source: C:\Windows\SysWOW64\explorer.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\explorer.exe API coverage: 5.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\explorer.exe TID: 1784 Thread sleep count: 2233 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1784 Thread sleep time: -223300s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1784 Thread sleep count: 7765 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1784 Thread sleep time: -776500s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0016A6F4 FindFirstFileExW, 13_2_0016A6F4
Source: explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: noreply@vmware.com0
Source: explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0
Source: explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1!0
Source: explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: http://www.vmware.com/0/
Source: explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.1
Source: explorer.exe, 0000000E.00000002.2374498298.000000000497D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware, Inc.0
Source: C:\Users\user\Desktop\cp.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00162281 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00162281
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_001560B5 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 13_2_001560B5
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0016821C mov eax, dword ptr fs:[00000030h] 13_2_0016821C
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00168262 mov eax, dword ptr fs:[00000030h] 13_2_00168262
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00163B84 mov eax, dword ptr fs:[00000030h] 13_2_00163B84
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0016B60E GetProcessHeap, 13_2_0016B60E
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00162281 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00162281
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_001475C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_001475C8
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00147A22 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_00147A22
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00147BB5 SetUnhandledExceptionFilter, 13_2_00147BB5

HIPS / PFW / Operating System Protection Evasion
barindex
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\Desktop\cp.exe NtSetInformationThread: Direct from: 0x52F912 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe NtQuerySystemInformation: Direct from: 0x532F8C Jump to behavior
Source: C:\Users\user\Desktop\cp.exe NtProtectVirtualMemory: Direct from: 0x6CEC3A0A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe NtProtectVirtualMemory: Direct from: 0x6CED2F45 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe NtProtectVirtualMemory: Direct from: 0x6CED2D1B Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\SysWOW64\comp.exe Memory written: PID: 5892 base: 2970000 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Memory written: PID: 5892 base: 2B962D8 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Memory written: PID: 5892 base: 2B971E8 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Memory written: PID: 5892 base: 4979C0 value: 55 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Memory written: PID: 5892 base: 2B97008 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Memory written: PID: 5708 base: 30E0000 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Memory written: PID: 5708 base: 2E1B2D8 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Memory written: PID: 5708 base: 2E1C1E8 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Memory written: PID: 5708 base: 4979C0 value: 55 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Memory written: PID: 5708 base: 2E1C008 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Memory written: PID: 7056 base: 120000 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Memory written: PID: 7056 base: 28762D8 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Memory written: PID: 7056 base: 28771E8 value: 00 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Memory written: PID: 7056 base: 4979C0 value: 55 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Memory written: PID: 7056 base: 2877008 value: 00 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\cp.exe Section loaded: NULL target: C:\Windows\SysWOW64\comp.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: NULL target: C:\Windows\SysWOW64\comp.exe protection: read write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Section loaded: NULL target: C:\Windows\SysWOW64\comp.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read write Jump to behavior
Writes to foreign memory regions
Source: C:\Windows\SysWOW64\comp.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 4979C0 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 2B97008 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 4979C0 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 2E1C008 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 4979C0 Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Memory written: C:\Windows\SysWOW64\explorer.exe base: 2877008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\cp.exe Process created: C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\comp.exe Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Process created: C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\comp.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Process created: C:\Windows\SysWOW64\comp.exe C:\Windows\SysWOW64\comp.exe Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Source: C:\Windows\SysWOW64\comp.exe Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0014787B cpuid 13_2_0014787B
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 13_2_0016D049
Source: C:\Windows\SysWOW64\explorer.exe Code function: EnumSystemLocalesW, 13_2_0016D2EF
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetLocaleInfoW, 13_2_001672E9
Source: C:\Windows\SysWOW64\explorer.exe Code function: EnumSystemLocalesW, 13_2_0016D33A
Source: C:\Windows\SysWOW64\explorer.exe Code function: EnumSystemLocalesW, 13_2_0016D3D5
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 13_2_0016D460
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetLocaleInfoW, 13_2_0016D6B5
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 13_2_0016D7DD
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetLocaleInfoW, 13_2_0016D8E5
Source: C:\Windows\SysWOW64\explorer.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 13_2_0016D9B8
Source: C:\Windows\SysWOW64\explorer.exe Code function: EnumSystemLocalesW, 13_2_00166DEA
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\cp.exe Queries volume information: C:\Users\user\AppData\Local\Temp\a4108ad7 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abfd1c3f VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\Obcloud\AacAmbientLighting.exe Queries volume information: C:\Users\user\AppData\Local\Temp\ac0d34a7 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\cp.exe Code function: 0_2_00523ECA GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00523ECA
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0014D71C GetVersionExW,Concurrency::details::platform::InitializeSystemFunctionPointers,Concurrency::details::WinRT::Initialize,__CxxThrowException@8, 13_2_0014D71C
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_0015804D Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::SchedulerBase::GetInternalContext, 13_2_0015804D
Source: C:\Windows\SysWOW64\explorer.exe Code function: 13_2_00158D23 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::InternalContextBase::SwitchOut,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::ReleaseInternalContext,Concurrency::details::InternalContextBase::SwitchTo,Concurrency::details::SchedulerBase::ReleaseInternalContext, 13_2_00158D23
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1467845 Sample: cp.exe Startdate: 04/07/2024 Architecture: WINDOWS Score: 72 41 Machine Learning detection for dropped file 2->41 43 AI detected suspicious sample 2->43 7 cp.exe 2 2->7         started        10 AacAmbientLighting.exe 2 2->10         started        12 AacAmbientLighting.exe 2 2->12         started        process3 signatures4 47 Maps a DLL or memory area into another process 7->47 49 Switches to a custom stack to bypass stack traces 7->49 51 Found direct / indirect Syscall (likely to bypass EDR) 7->51 14 comp.exe 4 7->14         started        18 comp.exe 2 10->18         started        20 comp.exe 2 12->20         started        process5 file6 35 C:\Users\user\AppData\Local\Temp\udmxic, PE32 14->35 dropped 53 Injects code into the Windows Explorer (explorer.exe) 14->53 55 Writes to foreign memory regions 14->55 57 Found hidden mapped module (file has been removed from disk) 14->57 59 Switches to a custom stack to bypass stack traces 14->59 22 explorer.exe 14->22         started        25 conhost.exe 14->25         started        37 C:\Users\user\AppData\Local\Temp\dpijo, PE32 18->37 dropped 27 conhost.exe 18->27         started        29 explorer.exe 18->29         started        39 C:\Users\user\AppData\Local\...\uwlocrmqutuaw, PE32 20->39 dropped 61 Maps a DLL or memory area into another process 20->61 31 conhost.exe 20->31         started        33 explorer.exe 20->33         started        signatures7 process8 signatures9 45 Switches to a custom stack to bypass stack traces 22->45
No contacted IP infos