Windows Analysis Report
Fnvtdhenapsfwu.exe

Overview

General Information

Sample Name: Fnvtdhenapsfwu.exe
Analysis ID: 1303888
MD5: cffe529403460c6affe0f52c1e7de602
SHA1: 3e03898f87c2cc47d57893c3dd55302281e9f2b5
SHA256: 56a3dc5c90ade897e349ba0fd0433770dcdda32b5bd2a1c6608b2af2f9b34c05
Infos:

Detection

Remcos, DBatLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: Remcos
Antivirus detection for URL or domain
Found malware configuration
Yara detected UAC Bypass using CMSTP
Contains functionality to bypass UAC (CMSTPLUA)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Yara detected DBatLoader
Multi AV Scanner detection for dropped file
Contains functionality to steal Firefox passwords or cookies
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Contains functionalty to change the wallpaper
Drops PE files with a suspicious file extension
Writes to foreign memory regions
Delayed program exit found
Contains functionality to modify clipboard data
Contains functionality to steal Chrome passwords or cookies
C2 URLs / IPs found in malware configuration
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Drops PE files
Tries to load missing DLLs
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Yara detected Keylogger Generic
Contains functionality to retrieve information about pressed keystrokes
Dropped file seen in connection with other malware
Contains functionality for read data from the clipboard
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to shutdown / reboot the system
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a DirectInput object (often for capturing keystrokes)
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Uses Microsoft's Enhanced Cryptographic Provider
Contains functionality to simulate mouse events

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
DBatLoader This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

AV Detection
barindex
Antivirus detection for URL or domain
Source: http://wsvdyhrgebwhevawe.ydns.eu/goofeeewsvd/Fnvtdhenapsll&= Avira URL Cloud: Label: phishing
Source: http://wsvdyhrgebwhevawe.ydns.eu/goofeeewsvd/Fnvtdhenapsf Avira URL Cloud: Label: phishing
Source: http://wsvdyhrgebwhevawe.ydns.eu/goofeeewsvd/FnvtdhenapsDLLq/ Avira URL Cloud: Label: phishing
Source: http://wsvdyhrgebwhevawe.ydns.eu/ Avira URL Cloud: Label: phishing
Source: tornado.ydns.eu Avira URL Cloud: Label: phishing
Source: http://wsvdyhrgebwhevawe.ydns.eu/goofeeewsvd/Fnvtdhenaps Avira URL Cloud: Label: phishing
Source: http://wsvdyhrgebwhevawe.ydns.eu/goofeeewsvd/FnvtdhenapsDLL Avira URL Cloud: Label: phishing
Found malware configuration
Source: Fnvtdhenapsfwu.exe Malware Configuration Extractor: DBatLoader {"Download Url": "http://wsvdyhrgebwhevawe.ydns.eu/goofeeewsvd/Fnvtdhenaps"}
Source: 00000001.00000002.474312952.00000000007D5000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "tornado.ydns.eu:1972:1orifak.ydns.eu:1972:1", "Assigned name": "ES 5th", "Copy file": "remcos.exe", "Mutex": "RmEEESSSssss-3AINT8", "Keylog file": "logs.dat", "Screenshot file": "Screenshots", "Audio folder": "MicRecords", "Copy folder": "Remcos", "Keylog folder": "remcos"}
Multi AV Scanner detection for submitted file
Source: Fnvtdhenapsfwu.exe ReversingLabs: Detection: 62%
Yara detected Remcos RAT
Source: Yara match File source: 1.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.62f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6190000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.62f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.62f194e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.619194e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6190000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.62f194e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.619194e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.474312952.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.253206056.0000000002AB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.253042102.0000000002AB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.474788319.00000000062F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.474134003.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.253092372.0000000002AB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.253076423.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.253136648.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.253322818.0000000006190000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 7120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 6388, type: MEMORYSTR
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF ReversingLabs: Detection: 62%
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00433789 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 1_2_00433789
Source: SndVol.exe Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 1.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.62f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6190000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.62f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.62f194e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.619194e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6190000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.62f194e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.619194e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.474788319.00000000062F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.474134003.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.253136648.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.253322818.0000000006190000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 7120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 6388, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_004074FD _wcslen,CoGetObject, 1_2_004074FD
Uses 32bit PE files
Source: Fnvtdhenapsfwu.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: Binary string: easinvoker.pdb source: Fnvtdhenapsfwu.exe, 00000000.00000002.218479200.000000000EB7F000.00000004.00001000.00020000.00000000.sdmp, Fnvtdhenapsfwu.exe, 00000000.00000003.213652513.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, Fnvtdhenapsfwu.exe, 00000000.00000002.220939596.000000007F4A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdbH source: Fnvtdhenapsfwu.exe, 00000000.00000002.218479200.000000000EB7F000.00000004.00001000.00020000.00000000.sdmp, Fnvtdhenapsfwu.exe, 00000000.00000003.213652513.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, Fnvtdhenapsfwu.exe, 00000000.00000002.220939596.000000007F4A0000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 1_2_00407C97
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CB58CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_02CB58CC
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0041C1E3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 1_2_0041C1E3
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 1_2_00409253
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0040C29B FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 1_2_0040C29B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 1_2_00409665
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0044E749 FindFirstFileExA, 1_2_0044E749
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 1_2_0040880C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0040783C FindFirstFileW,FindNextFileW, 1_2_0040783C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00419A47 FindFirstFileW,FindNextFileW,FindNextFileW, 1_2_00419A47
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0040BA7E FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 1_2_0040BA7E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0040BC85 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 1_2_0040BC85

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: tornado.ydns.eu
Source: Malware configuration extractor URLs: http://wsvdyhrgebwhevawe.ydns.eu/goofeeewsvd/Fnvtdhenaps
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /goofeeewsvd/Fnvtdhenaps HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: wsvdyhrgebwhevawe.ydns.eu
Source: global traffic HTTP traffic detected: GET /goofeeewsvd/Fnvtdhenaps HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: wsvdyhrgebwhevawe.ydns.eu
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CMCSUS CMCSUS
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49707 -> 193.42.32.61:1972
Source: Fnvtdhen.PIF, 00000002.00000002.253230097.000000000019B000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://://t.exet.exe
Source: Fnvtdhenapsfwu.exe, 00000000.00000002.216838629.000000000019B000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://://t.exet.exen
Source: SndVol.exe String found in binary or memory: http://geoplugin.net/json.gp
Source: SndVol.exe, 00000001.00000002.474134003.0000000000400000.00000040.00001000.00020000.00000000.sdmp, SndVol.exe, 00000001.00000002.474788319.00000000062F0000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.253322818.0000000006190000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 00000008.00000002.253136648.0000000000400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: Fnvtdhenapsfwu.exe, 00000000.00000002.216873929.00000000005C1000.00000004.00000020.00020000.00000000.sdmp, Fnvtdhen.PIF, 00000002.00000002.253289545.00000000005D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wsvdyhrgebwhevawe.ydns.eu/
Source: Fnvtdhen.PIF, 00000002.00000002.255025032.000000000EC6C000.00000004.00001000.00020000.00000000.sdmp, Fnvtdhen.PIF, 00000002.00000002.253289545.00000000005FF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wsvdyhrgebwhevawe.ydns.eu/goofeeewsvd/Fnvtdhenaps
Source: Fnvtdhen.PIF, 00000002.00000002.253289545.00000000005C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wsvdyhrgebwhevawe.ydns.eu/goofeeewsvd/FnvtdhenapsDLL
Source: Fnvtdhen.PIF, 00000002.00000002.253289545.00000000005C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wsvdyhrgebwhevawe.ydns.eu/goofeeewsvd/FnvtdhenapsDLLq/
Source: Fnvtdhen.PIF, 00000002.00000002.253289545.00000000005A1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wsvdyhrgebwhevawe.ydns.eu/goofeeewsvd/Fnvtdhenapsf
Source: Fnvtdhenapsfwu.exe, 00000000.00000002.216873929.0000000000591000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wsvdyhrgebwhevawe.ydns.eu/goofeeewsvd/Fnvtdhenapsll&=
Source: Fnvtdhenapsfwu.exe, Fnvtdhenapsfwu.exe, 00000000.00000002.217337311.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp, Fnvtdhenapsfwu.exe, 00000000.00000002.221331055.000000007FD20000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.pmail.com
Source: unknown DNS traffic detected: queries for: wsvdyhrgebwhevawe.ydns.eu
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00426C03 recv, 1_2_00426C03
Source: global traffic HTTP traffic detected: GET /goofeeewsvd/Fnvtdhenaps HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: wsvdyhrgebwhevawe.ydns.eu
Source: global traffic HTTP traffic detected: GET /goofeeewsvd/Fnvtdhenaps HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: wsvdyhrgebwhevawe.ydns.eu

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to modify clipboard data
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0041680F OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 1_2_0041680F
Yara detected Keylogger Generic
Source: Yara match File source: Process Memory Space: Fnvtdhenapsfwu.exe PID: 7056, type: MEMORYSTR
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx, 1_2_0040A3E0
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0040B65C OpenClipboard,GetClipboardData,CloseClipboard, 1_2_0040B65C
Contains functionality to read the clipboard data
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0040B65C OpenClipboard,GetClipboardData,CloseClipboard, 1_2_0040B65C
Creates a DirectInput object (often for capturing keystrokes)
Source: Fnvtdhenapsfwu.exe, 00000000.00000002.216873929.000000000057A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> memstr_b5f021b2-2

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 1.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.62f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6190000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.62f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.62f194e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.619194e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6190000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.62f194e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.619194e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.474312952.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.253206056.0000000002AB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.253042102.0000000002AB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.474788319.00000000062F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.474134003.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.253092372.0000000002AB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.253076423.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.253136648.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.253322818.0000000006190000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 7120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 6388, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0041C934 SystemParametersInfoW, 1_2_0041C934

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.SndVol.exe.62f0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.SndVol.exe.62f0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.SndVol.exe.62f0000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.colorcpl.exe.6190000.2.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.colorcpl.exe.6190000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.colorcpl.exe.6190000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.SndVol.exe.62f0000.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.SndVol.exe.62f0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.SndVol.exe.62f0000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.SndVol.exe.62f194e.2.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.SndVol.exe.62f194e.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.SndVol.exe.62f194e.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.colorcpl.exe.619194e.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.colorcpl.exe.619194e.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.colorcpl.exe.619194e.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.colorcpl.exe.6190000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.colorcpl.exe.6190000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.colorcpl.exe.6190000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.SndVol.exe.62f194e.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.SndVol.exe.62f194e.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.SndVol.exe.62f194e.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 8.2.colorcpl.exe.619194e.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 8.2.colorcpl.exe.619194e.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 8.2.colorcpl.exe.619194e.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000001.00000002.474788319.00000000062F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000001.00000002.474788319.00000000062F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000001.00000002.474788319.00000000062F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000001.00000002.474134003.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000001.00000002.474134003.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000001.00000002.474134003.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.253136648.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000008.00000002.253136648.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.253136648.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000008.00000002.253322818.0000000006190000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000008.00000002.253322818.0000000006190000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000008.00000002.253322818.0000000006190000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: Process Memory Space: SndVol.exe PID: 7120, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 6388, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Detected potential crypto function
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CB20C4 0_2_02CB20C4
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0041F04C 1_2_0041F04C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0043E01C 1_2_0043E01C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_004540AA 1_2_004540AA
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_004380B8 1_2_004380B8
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00446140 1_2_00446140
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0043E24B 1_2_0043E24B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0045327C 1_2_0045327C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_004272EF 1_2_004272EF
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00437436 1_2_00437436
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0043E4A8 1_2_0043E4A8
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_004386C0 1_2_004386C0
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0043784E 1_2_0043784E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00433898 1_2_00433898
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0044D899 1_2_0044D899
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00427998 1_2_00427998
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0041DAB4 1_2_0041DAB4
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00427B01 1_2_00427B01
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00437C83 1_2_00437C83
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00426D60 1_2_00426D60
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0043DDED 1_2_0043DDED
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00435DB1 1_2_00435DB1
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00413F18 1_2_00413F18
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00436F3A 1_2_00436F3A
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CCD85C InetIsOffline,CoInitialize,CoUninitialize,WinExec,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,GetCurrentProcess,FlushInstructionCache,GetCurrentProcess,ExitProcess, 0_2_02CCD85C
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: archiveint.dll Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: ???.dll Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: ????.dll Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: advapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Section loaded: ??l.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: archiveint.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: ???.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: ???.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: ???.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: ??l.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: ??l.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: ????.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: ??l.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: ??l.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: advapi.dll Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Section loaded: ??l.dll Jump to behavior
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\Public\Libraries\Fnvtdhen.PIF 56A3DC5C90ADE897E349BA0FD0433770DCDDA32B5BD2A1C6608B2AF2F9B34C05
Uses 32bit PE files
Source: Fnvtdhenapsfwu.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: 1.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.SndVol.exe.62f0000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.SndVol.exe.62f0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.SndVol.exe.62f0000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.colorcpl.exe.6190000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.colorcpl.exe.6190000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.colorcpl.exe.6190000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.SndVol.exe.62f0000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.SndVol.exe.62f0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.SndVol.exe.62f0000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.SndVol.exe.62f194e.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.SndVol.exe.62f194e.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.SndVol.exe.62f194e.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.colorcpl.exe.619194e.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.colorcpl.exe.619194e.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.colorcpl.exe.619194e.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.colorcpl.exe.6190000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.colorcpl.exe.6190000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.colorcpl.exe.6190000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.SndVol.exe.62f194e.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.SndVol.exe.62f194e.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.SndVol.exe.62f194e.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.colorcpl.exe.619194e.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 8.2.colorcpl.exe.619194e.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 8.2.colorcpl.exe.619194e.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000001.00000002.474788319.00000000062F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000001.00000002.474788319.00000000062F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000001.00000002.474788319.00000000062F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000001.00000002.474134003.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000001.00000002.474134003.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000001.00000002.474134003.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.253136648.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000008.00000002.253136648.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.253136648.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000008.00000002.253322818.0000000006190000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000008.00000002.253322818.0000000006190000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000008.00000002.253322818.0000000006190000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: Process Memory Space: SndVol.exe PID: 7120, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 6388, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Contains functionality to shutdown / reboot the system
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00416702 ExitWindowsEx,LoadLibraryA,GetProcAddress, 1_2_00416702
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: String function: 02CB4824 appears 328 times
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: String function: 02CB4698 appears 80 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 004346C2 appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 00402093 appears 50 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 00401E65 appears 33 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 00434D80 appears 54 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CCA6A0 GetModuleHandleW,GetProcAddress,NtOpenProcess,GetCurrentProcess,IsBadReadPtr,IsBadReadPtr,GetCurrentProcess,GetModuleHandleW,GetProcAddress,NtWriteVirtualMemory,GetModuleHandleW,GetProcAddress,RtlCreateUserThread,CloseHandle,NtFreeVirtualMemory,GetCurrentProcess,NtFreeVirtualMemory,GetCurrentProcess,NtFreeVirtualMemory, 0_2_02CCA6A0
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CCCAB0 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 0_2_02CCCAB0
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CC7A50 GetModuleHandleW,GetProcAddress,NtProtectVirtualMemory, 0_2_02CC7A50
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CCCB94 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose, 0_2_02CCCB94
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CC7B74 LoadLibraryExA,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtProtectVirtualMemory,GetCurrentProcess,NtWriteVirtualMemory,FreeLibrary, 0_2_02CC7B74
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CC7B14 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary, 0_2_02CC7B14
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CCD85C InetIsOffline,CoInitialize,CoUninitialize,WinExec,CreateProcessAsUserW,NtQueueApcThread,ResumeThread,CloseHandle,GetCurrentProcess,FlushInstructionCache,GetCurrentProcess,ExitProcess, 0_2_02CCD85C
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CC79BC GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory, 0_2_02CC79BC
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CCCA20 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 0_2_02CCCA20
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CCCF5C CreateProcessAsUserW,NtCreateProcess,WaitForSingleObject,CloseHandle,CloseHandle, 0_2_02CCCF5C
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CC7F00 CreateProcessAsUserW,GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,NtResumeThread, 0_2_02CC7F00
Sample file is different than original file name gathered from version info
Source: Fnvtdhenapsfwu.exe Binary or memory string: OriginalFilename vs Fnvtdhenapsfwu.exe
Source: Fnvtdhenapsfwu.exe, 00000000.00000002.218479200.000000000EB7F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs Fnvtdhenapsfwu.exe
Source: Fnvtdhenapsfwu.exe, 00000000.00000003.213652513.000000007EED0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs Fnvtdhenapsfwu.exe
Source: Fnvtdhenapsfwu.exe, 00000000.00000002.220939596.000000007F4A0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs Fnvtdhenapsfwu.exe
Source: Fnvtdhenapsfwu.exe, 00000000.00000002.217337311.0000000002CD9000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs Fnvtdhenapsfwu.exe
Source: Fnvtdhenapsfwu.exe, 00000000.00000002.221331055.000000007FD20000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs Fnvtdhenapsfwu.exe
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe File created: C:\Users\Public\Libraries\Fnvtdhen.PIF Jump to behavior
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@6/3@4/3
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0041A99C OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 1_2_0041A99C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0041B3FA FindResourceA,LoadResource,LockResource,SizeofResource, 1_2_0041B3FA
Source: Fnvtdhenapsfwu.exe ReversingLabs: Detection: 62%
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe File read: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe C:\Users\user\Desktop\Fnvtdhenapsfwu.exe
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: unknown Process created: C:\Users\Public\Libraries\Fnvtdhen.PIF "C:\Users\Public\Libraries\Fnvtdhen.PIF"
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_004178A4 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 1_2_004178A4
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CC6DC0 CoCreateInstance, 0_2_02CC6DC0
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CB7FB8 GetDiskFreeSpaceA, 0_2_02CB7FB8
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CCA2F0 CreateToolhelp32Snapshot, 0_2_02CCA2F0
Source: C:\Windows\SysWOW64\SndVol.exe Mutant created: \Sessions\1\BaseNamedObjects\RmEEESSSssss-3AINT8
Source: C:\Windows\SysWOW64\SndVol.exe Mutant created: \Sessions\1\BaseNamedObjects\Windows Volume App Window
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\colorcpl.exe Window detected: Number of UI elements: 12
Source: Fnvtdhenapsfwu.exe Static file information: File size 1243648 > 1048576
Source: Binary string: easinvoker.pdb source: Fnvtdhenapsfwu.exe, 00000000.00000002.218479200.000000000EB7F000.00000004.00001000.00020000.00000000.sdmp, Fnvtdhenapsfwu.exe, 00000000.00000003.213652513.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, Fnvtdhenapsfwu.exe, 00000000.00000002.220939596.000000007F4A0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdbH source: Fnvtdhenapsfwu.exe, 00000000.00000002.218479200.000000000EB7F000.00000004.00001000.00020000.00000000.sdmp, Fnvtdhenapsfwu.exe, 00000000.00000003.213652513.000000007EED0000.00000004.00001000.00020000.00000000.sdmp, Fnvtdhenapsfwu.exe, 00000000.00000002.220939596.000000007F4A0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Yara detected DBatLoader
Source: Yara match File source: Fnvtdhenapsfwu.exe, type: SAMPLE
Source: Yara match File source: 0.2.Fnvtdhenapsfwu.exe.2cb0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.Fnvtdhenapsfwu.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\Public\Libraries\Fnvtdhen.PIF, type: DROPPED
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CD82F4 push 02CD835Fh; ret 0_2_02CD8357
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CB32F0 push eax; ret 0_2_02CB332C
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CB6372 push 02CB63CFh; ret 0_2_02CB63C7
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CB6374 push 02CB63CFh; ret 0_2_02CB63C7
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CD80AC push 02CD8125h; ret 0_2_02CD811D
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CC3050 push 02CC309Dh; ret 0_2_02CC3095
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CCA038 push 02CCA070h; ret 0_2_02CCA068
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CD81F8 push 02CD8288h; ret 0_2_02CD8280
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CD8144 push 02CD81ECh; ret 0_2_02CD81E4
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CDC10C push eax; ret 0_2_02CDC1DC
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CD76B0 push 02CD78C8h; ret 0_2_02CD78C0
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CB9740 pushfd ; retf 0_2_02CB9747
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CB6768 push 02CB67AAh; ret 0_2_02CB67A2
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CB6766 push 02CB67AAh; ret 0_2_02CB67A2
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CB9724 push FFFFFF9Ah; retf 0_2_02CB972F
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CB9730 pushfd ; retf 0_2_02CB973F
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CCD498 push ecx; mov dword ptr [esp], edx 0_2_02CCD49D
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CBD584 push 02CBD5B0h; ret 0_2_02CBD5A8
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CBC550 push ecx; mov dword ptr [esp], edx 0_2_02CBC555
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CBCBD0 push 02CBCD56h; ret 0_2_02CBCD4E
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CC6940 push 02CC69EBh; ret 0_2_02CC69E3
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CCC908 push 02CCC940h; ret 0_2_02CCC938
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CC7904 push 02CC7981h; ret 0_2_02CC7979
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CB6FFB push FFFFFFCBh; retf 0_2_02CB7002
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CC2F44 push 02CC2FBAh; ret 0_2_02CC2FB2
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00457056 push ecx; ret 1_2_00457069
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0045B11A push esp; ret 1_2_0045B141
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0045E54D push esi; ret 1_2_0045E556
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00457978 push eax; ret 1_2_00457996
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00434DC6 push ecx; ret 1_2_00434DD9
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CC7B14 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary, 0_2_02CC7B14

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe File created: C:\Users\Public\Libraries\Fnvtdhen.PIF Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe File created: C:\Users\Public\Libraries\Fnvtdhen.PIF Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00406EB0 ShellExecuteW,URLDownloadToFileW, 1_2_00406EB0
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Fnvtdhen Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Fnvtdhen Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0041A99C OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 1_2_0041A99C
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CCA074 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_02CCA074
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Delayed program exit found
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0040F6F5 Sleep,ExitProcess, 1_2_0040F6F5
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\SndVol.exe TID: 7160 Thread sleep time: -79500s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\SndVol.exe Last function: Thread delayed
Contains functionality to enumerate running services
Source: C:\Windows\SysWOW64\SndVol.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 1_2_0041A69A
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 1_2_00407C97
Source: C:\Windows\SysWOW64\SndVol.exe API call chain: ExitProcess graph end node
Source: Fnvtdhenapsfwu.exe, 00000000.00000002.216873929.00000000005C1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8
Source: Fnvtdhenapsfwu.exe, 00000000.00000002.216873929.0000000000602000.00000004.00000020.00020000.00000000.sdmp, Fnvtdhen.PIF, 00000002.00000002.253289545.0000000000616000.00000004.00000020.00020000.00000000.sdmp, Fnvtdhen.PIF, 00000002.00000002.253289545.0000000000606000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Fnvtdhen.PIF, 00000002.00000002.253289545.00000000005D6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: Fnvtdhenapsfwu.exe, 00000000.00000002.216873929.00000000005F4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWevawe.ydns.eu/
Source: SndVol.exe, 00000001.00000003.216691336.000000000083A000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000001.00000003.352563567.000000000083A000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000001.00000003.216644931.000000000083A000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000001.00000002.474404070.000000000083A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CB58CC GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_02CB58CC
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0041C1E3 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 1_2_0041C1E3
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 1_2_00409253
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0040C29B FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 1_2_0040C29B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 1_2_00409665
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0044E749 FindFirstFileExA, 1_2_0044E749
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 1_2_0040880C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0040783C FindFirstFileW,FindNextFileW, 1_2_0040783C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00419A47 FindFirstFileW,FindNextFileW,FindNextFileW, 1_2_00419A47
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0040BA7E FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 1_2_0040BA7E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0040BC85 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 1_2_0040BC85
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CC7B14 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary, 0_2_02CC7B14
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00443224 mov eax, dword ptr fs:[00000030h] 1_2_00443224
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0043494B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0043494B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0044FA9E GetProcessHeap, 1_2_0044FA9E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00434A99 SetUnhandledExceptionFilter, 1_2_00434A99
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0043494B IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0043494B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0043BA72 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 1_2_0043BA72
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00434F4C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 1_2_00434F4C

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Memory allocated: C:\Windows\SysWOW64\SndVol.exe base: 62F0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 6190000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Memory written: C:\Windows\SysWOW64\SndVol.exe base: 62F0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 6190000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Memory written: C:\Windows\SysWOW64\SndVol.exe base: 62F0000 Jump to behavior
Source: C:\Users\Public\Libraries\Fnvtdhen.PIF Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 6190000 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 1_2_00412045
Contains functionality to simulate mouse events
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00419579 mouse_event, 1_2_00419579
Source: SndVol.exe, 00000001.00000003.352563567.000000000083A000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000001.00000002.474404070.000000000083A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: SndVol.exe, 00000001.00000002.474404070.000000000083A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managers.eu:1972=L
Source: SndVol.exe, 00000001.00000003.352563567.000000000083A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerr]
Source: SndVol.exe, 00000001.00000002.474312952.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, SndVol.exe, 00000001.00000002.474404070.000000000083A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Source: SndVol.exe, 00000001.00000002.474404070.000000000083A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager|
Source: SndVol.exe, 00000001.00000002.474312952.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, logs.dat.1.dr Binary or memory string: [Program Manager]
Source: SndVol.exe, 00000001.00000002.474404070.000000000083A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager4L
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_02CB5A90
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: GetLocaleInfoA, 0_2_02CBA7F4
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: GetLocaleInfoA, 0_2_02CBA7A8
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_02CB5B9C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 1_2_00452014
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 1_2_00452264
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 1_2_004482D4
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 1_2_0045238D
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 1_2_00452494
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 1_2_00452561
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 1_2_004487BD
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoA, 1_2_0040F81F
Source: C:\Windows\SysWOW64\SndVol.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 1_2_00451C29
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 1_2_00451EEC
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 1_2_00451EA1
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 1_2_00451F87
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00434BC1 cpuid 1_2_00434BC1
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CB91F0 GetLocalTime, 0_2_02CB91F0
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_00449060 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 1_2_00449060
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 1_2_0041B55F GetUserNameW, 1_2_0041B55F
Source: C:\Users\user\Desktop\Fnvtdhenapsfwu.exe Code function: 0_2_02CBB770 GetVersionExA, 0_2_02CBB770

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 1.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.62f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6190000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.62f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.62f194e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.619194e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6190000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.62f194e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.619194e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.474312952.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.253206056.0000000002AB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.253042102.0000000002AB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.474788319.00000000062F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.474134003.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.253092372.0000000002AB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.253076423.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.253136648.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.253322818.0000000006190000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 7120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 6388, type: MEMORYSTR
Contains functionality to steal Firefox passwords or cookies
Source: C:\Windows\SysWOW64\SndVol.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 1_2_0040BA7E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: \key3.db 1_2_0040BA7E
Contains functionality to steal Chrome passwords or cookies
Source: C:\Windows\SysWOW64\SndVol.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 1_2_0040B960

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 1.2.SndVol.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.62f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6190000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.62f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.62f194e.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.619194e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.6190000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.62f194e.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.SndVol.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.colorcpl.exe.619194e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.474312952.00000000007D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.253206056.0000000002AB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.253042102.0000000002AB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.474788319.00000000062F0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.474134003.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.253092372.0000000002AB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.253076423.0000000002AD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.253136648.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.253322818.0000000006190000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 7120, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 6388, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1303888 Sample: Fnvtdhenapsfwu.exe Startdate: 05/09/2023 Architecture: WINDOWS Score: 100 32 Found malware configuration 2->32 34 Malicious sample detected (through community Yara rule) 2->34 36 Antivirus detection for URL or domain 2->36 38 6 other signatures 2->38 6 Fnvtdhenapsfwu.exe 1 2 2->6         started        11 Fnvtdhen.PIF 2->11         started        process3 dnsIp4 24 wsvdyhrgebwhevawe.ydns.eu 81.161.229.9, 49706, 49708, 80 CMCSUS Germany 6->24 20 C:\Users\Public\Libraries\Fnvtdhen.PIF, PE32 6->20 dropped 40 Drops PE files with a suspicious file extension 6->40 42 Writes to foreign memory regions 6->42 44 Allocates memory in foreign processes 6->44 13 SndVol.exe 3 2 6->13         started        46 Multi AV Scanner detection for dropped file 11->46 48 Injects a PE file into a foreign processes 11->48 18 colorcpl.exe 2 11->18         started        file5 signatures6 process7 dnsIp8 26 tornado.ydns.eu 193.42.32.61, 1972, 49707, 49730 EENET-ASEE Germany 13->26 28 orifak.ydns.eu 13->28 30 192.168.2.1 unknown unknown 13->30 22 C:\ProgramData\remcos\logs.dat, data 13->22 dropped 50 Contains functionality to bypass UAC (CMSTPLUA) 13->50 52 Contains functionalty to change the wallpaper 13->52 54 Contains functionality to steal Chrome passwords or cookies 13->54 56 3 other signatures 13->56 file9 signatures10
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
81.161.229.9
 wsvdyhrgebwhevawe.ydns.eu Germany
33657 CMCSUS true
193.42.32.61
 orifak.ydns.eu Germany
3221 EENET-ASEE true

Private

IP
192.168.2.1

Contacted Domains

Name IP Active
orifak.ydns.eu 193.42.32.61 true
wsvdyhrgebwhevawe.ydns.eu 81.161.229.9 true
tornado.ydns.eu 193.42.32.61 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://wsvdyhrgebwhevawe.ydns.eu/goofeeewsvd/Fnvtdhenaps true
  • Avira URL Cloud: phishing
 unknown
tornado.ydns.eu true
  • Avira URL Cloud: phishing
 unknown