Windows Analysis Report
Certificate_of_registration.exe

Overview

General Information

Sample name: Certificate_of_registration.exe
Analysis ID: 1465318
MD5: 74306ff01db05a602a39c5da423b8d00
SHA1: f9326efd199cc26ebbc48109c3903e9be25f0b0c
SHA256: 9fa768cb5a871346c0831394150d09b4697c564536ae523b539aa12a17d015b6
Tags: exe
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Snort IDS alert for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionalty to change the wallpaper
Delayed program exit found
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a process as a different user
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Found malware configuration
Source: 00000037.00000002.3847813442.0000000000C67000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": "morrrw.ddns.net:6609:0", "Assigned name": "GOD HOPE", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-Q2SG61", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe ReversingLabs: Detection: 44%
Multi AV Scanner detection for submitted file
Source: Certificate_of_registration.exe ReversingLabs: Detection: 44%
Yara detected Remcos RAT
Source: Yara match File source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Certificate_of_registration.exe.3ecdf90.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Certificate_of_registration.exe.3e55570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000037.00000002.3847813442.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.4154025246.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000002.3247652736.0000000005337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.4154025246.000000000063B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.2648148319.00000000051D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1883825441.0000000000859000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Certificate_of_registration.exe PID: 7264, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7004, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1720, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Certificate_of_registration.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 37_2_00433837
Source: Certificate_of_registration.exe, 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_3d111913-e

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Certificate_of_registration.exe.3ecdf90.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Certificate_of_registration.exe.3e55570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1883825441.0000000000859000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Certificate_of_registration.exe PID: 7264, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7328, type: MEMORYSTR
Uses 32bit PE files
Source: Certificate_of_registration.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: Certificate_of_registration.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0040880C FindFirstFileW,FindNextFileW,FindClose, 37_2_0040880C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0040783C FindFirstFileW,FindNextFileW, 37_2_0040783C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_00419AF5 FindFirstFileW, 37_2_00419AF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 37_2_0041C291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 37_2_0040C34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 37_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_00409665 FindFirstFileW,FindNextFileW,FindClose,FindClose, 37_2_00409665

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65010 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65011 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65012 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65013 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65014 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65015 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65016 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65018 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65019 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65020 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65021 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65022 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65023 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65024 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65025 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65026 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65027 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65028 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65029 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65030 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65031 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65032 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65033 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65034 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65035 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65036 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65037 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65038 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65039 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65040 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65041 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65042 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65043 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65044 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65045 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65046 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65047 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65048 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65049 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65050 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65051 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65052 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65053 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65054 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65055 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65056 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65057 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65058 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65059 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65060 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65061 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65062 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65063 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65064 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65065 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65066 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65067 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65068 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65069 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65070 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65071 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65072 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65073 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65074 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65075 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65076 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65077 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65078 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65079 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65080 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65081 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65082 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65083 -> 109.248.151.250:6609
Source: Traffic Snort IDS: 2032776 ET TROJAN Remcos 3.x Unencrypted Checkin 192.168.2.4:65084 -> 109.248.151.250:6609
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: morrrw.ddns.net
Uses dynamic DNS services
Source: unknown DNS query: name: busbuctomorrrw.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:65010 -> 109.248.151.250:6609
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DATACLUBLV DATACLUBLV
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile, 37_2_0041B380
Source: global traffic DNS traffic detected: DNS query: busbuctomorrrw.ddns.net
Source: Certificate_of_registration.exe, 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, vbc.exe, 00000001.00000002.1883825441.0000000000859000.00000002.00000400.00020000.00000000.sdmp, vbc.exe, 0000000D.00000002.1892847188.000000000061B000.00000002.00000400.00020000.00000000.sdmp, vbc.exe, 00000025.00000002.2647024450.000000000046B000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: Amcache.hve.9.dr String found in binary or memory: http://upx.sf.net

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000 37_2_0040A2B8
Contains functionality for read data from the clipboard
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard, 37_2_0040B70E
Contains functionality to read the clipboard data
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard, 37_2_0040B70E
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx, 37_2_0040A3E0

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Certificate_of_registration.exe.3ecdf90.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Certificate_of_registration.exe.3e55570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000037.00000002.3847813442.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.4154025246.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000002.3247652736.0000000005337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.4154025246.000000000063B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.2648148319.00000000051D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1883825441.0000000000859000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Certificate_of_registration.exe PID: 7264, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7004, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1720, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0041C9E2 SystemParametersInfoW, 37_2_0041C9E2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.Certificate_of_registration.exe.3ecdf90.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Certificate_of_registration.exe.3ecdf90.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.Certificate_of_registration.exe.3e55570.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.Certificate_of_registration.exe.3e55570.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000025.00000002.2647024450.000000000046B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000001.00000002.1883825441.0000000000859000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.1892847188.000000000061B000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Certificate_of_registration.exe PID: 7264, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: vbc.exe PID: 7328, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: vbc.exe PID: 7764, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: vbc.exe PID: 7864, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Abnormal high CPU Usage
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile, 37_2_004132D2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle, 37_2_0041BB09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle, 37_2_0041BB35
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0041D58F NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, 37_2_0041D58F
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Code function: 0_2_02C34F58 CreateProcessAsUserA, 0_2_02C34F58
Contains functionality to shutdown / reboot the system
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_004167B9 ExitWindowsEx,LoadLibraryA,GetProcAddress, 37_2_004167B9
Detected potential crypto function
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0043E0CC 37_2_0043E0CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_004378FE 37_2_004378FE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_00433946 37_2_00433946
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_004461F0 37_2_004461F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0043E2FB 37_2_0043E2FB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0045332B 37_2_0045332B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_004374E6 37_2_004374E6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0043E558 37_2_0043E558
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_00435E5E 37_2_00435E5E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0043DE9D 37_2_0043DE9D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_00436FEA 37_2_00436FEA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0041DB62 37_2_0041DB62
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: String function: 00434E10 appears 54 times
One or more processes crash
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 516
Sample file is different than original file name gathered from version info
Source: Certificate_of_registration.exe, 00000000.00000002.1738576793.000000000104E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Certificate_of_registration.exe
Uses 32bit PE files
Source: Certificate_of_registration.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.Certificate_of_registration.exe.3ecdf90.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Certificate_of_registration.exe.3ecdf90.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.Certificate_of_registration.exe.3e55570.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.Certificate_of_registration.exe.3e55570.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000025.00000002.2647024450.000000000046B000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000001.00000002.1883825441.0000000000859000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.1892847188.000000000061B000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Certificate_of_registration.exe PID: 7264, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: vbc.exe PID: 7328, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: vbc.exe PID: 7764, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: vbc.exe PID: 7864, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Certificate_of_registration.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Phtos.exe.10.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Certificate_of_registration.exe, --.cs Cryptographic APIs: 'CreateDecryptor'
Source: Certificate_of_registration.exe, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Certificate_of_registration.exe, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Phtos.exe.10.dr, --.cs Cryptographic APIs: 'CreateDecryptor'
Source: Phtos.exe.10.dr, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: Phtos.exe.10.dr, --.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@83/13@4/1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 37_2_00417952
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0040F8FD CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,Process32NextW,CloseHandle, 37_2_0040F8FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource, 37_2_0041B4A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW, 37_2_0041AA4A
Source: C:\Users\user\Desktop\Certificate_of_registration.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Certificate_of_registration.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5348:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3384:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6616:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7868:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7944:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2116:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7444:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7300:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7808:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7388:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7764
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-Q2SG61
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7428:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7360:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7328
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5052:120:WilError_03
Source: C:\Users\user\Desktop\Certificate_of_registration.exe File created: C:\Users\user\AppData\Local\Temp\Phtos Jump to behavior
Source: Certificate_of_registration.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Certificate_of_registration.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Certificate_of_registration.exe ReversingLabs: Detection: 44%
Source: unknown Process created: C:\Users\user\Desktop\Certificate_of_registration.exe "C:\Users\user\Desktop\Certificate_of_registration.exe"
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7328 -s 516
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\Desktop\Certificate_of_registration.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7764 -s 528
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos" Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\Desktop\Certificate_of_registration.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Section loaded: cryptbase.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: winmm.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: urlmon.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: wininet.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: iertutil.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: srvcli.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: netutils.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: iphlpapi.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: rstrtmgr.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: ncrypt.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: ntasn1.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe Section loaded: xmllite.dll
Source: C:\Users\user\Desktop\Certificate_of_registration.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: Certificate_of_registration.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Certificate_of_registration.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_00406A63 LoadLibraryA,GetProcAddress, 37_2_00406A63
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_00457106 push ecx; ret 37_2_00457119
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0044E326 push esp; retf 37_2_0044E327
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0044DD28 push esp; retf 37_2_0044DD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_00434E56 push ecx; ret 37_2_00434E69
Source: Certificate_of_registration.exe Static PE information: section name: .text entropy: 7.949760157390658
Source: Phtos.exe.10.dr Static PE information: section name: .text entropy: 7.949760157390658
Drops PE files
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW, 37_2_0041AA4A
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_00435E5E GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 37_2_00435E5E
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Delayed program exit found
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0040F7A7 Sleep,ExitProcess, 37_2_0040F7A7
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Memory allocated: 2C30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Memory allocated: 2E50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Memory allocated: 4E50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory allocated: 17D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory allocated: 31A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory allocated: 1990000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory allocated: 3170000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory allocated: 32C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory allocated: 52C0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory allocated: FC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory allocated: 2A30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory allocated: 27F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory allocated: DF0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory allocated: 2BB0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory allocated: 2910000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory allocated: 1700000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory allocated: 3090000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory allocated: 5090000 memory reserve | memory write watch
Contains functionality to enumerate running services
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 37_2_0041A748
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Window / User API: threadDelayed 9856 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe API coverage: 2.1 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Certificate_of_registration.exe TID: 7284 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe TID: 7640 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe TID: 4320 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 6740 Thread sleep count: 100 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 6740 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 6740 Thread sleep count: 9856 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe TID: 6740 Thread sleep time: -29568000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe TID: 7840 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe TID: 5444 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe TID: 5724 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0040880C FindFirstFileW,FindNextFileW,FindClose, 37_2_0040880C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0040783C FindFirstFileW,FindNextFileW, 37_2_0040783C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_00419AF5 FindFirstFileW, 37_2_00419AF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 37_2_0041C291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 37_2_0040C34D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 37_2_0040BB30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_00409665 FindFirstFileW,FindNextFileW,FindClose,FindClose, 37_2_00409665
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Thread delayed: delay time: 922337203685477
Source: Amcache.hve.9.dr Binary or memory string: VMware
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.9.dr Binary or memory string: VMware, Inc.
Source: vbc.exe, 0000001B.00000002.4154025246.000000000063B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.9.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.9.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.9.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.9.dr Binary or memory string: vmci.sys
Source: Amcache.hve.9.dr Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.9.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.9.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.9.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.9.dr Binary or memory string: VMware20,1
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.9.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.9.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.9.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.9.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.9.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.9.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.9.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.9.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe API call chain: ExitProcess graph end node
Checks if the current process is being debugged
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 37_2_004349F9
Contains functionality to dynamically determine API calls
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_00406A63 LoadLibraryA,GetProcAddress, 37_2_00406A63
Contains functionality to read the PEB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_004432B5 mov eax, dword ptr fs:[00000030h] 37_2_004432B5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_00412077 GetProcessHeap,HeapFree, 37_2_00412077
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 37_2_004349F9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_004349F8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 37_2_004349F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_00434B47 SetUnhandledExceptionFilter, 37_2_00434B47
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 37_2_0043BB22
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 37_2_00434FDC
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 800000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5B0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 protect: page execute and read and write
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 800000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5B0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 value starts with: 4D5A
Writes to foreign memory regions
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 800000 Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 801000 Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 859000 Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 871000 Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 877000 Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 878000 Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 879000 Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 87E000 Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 7FF008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5B0000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 5B1000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 609000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 621000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 627000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 628000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 629000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 62E000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 230008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 459000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 471000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 477000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 478000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 479000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 47E000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 374008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 459000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 471000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 477000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 478000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 479000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 47E000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: A89008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 459000
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 471000
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 477000
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 478000
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 479000
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 47E000
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: C54008
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 459000
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 471000
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 477000
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 478000
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 479000
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 47E000
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe base: 7D1008
Contains functionality to simulate mouse events
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_00419627 mouse_event, 37_2_00419627
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos" Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f Jump to behavior
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\Desktop\Certificate_of_registration.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C mkdir "C:\Users\user\AppData\Local\Temp\Phtos"
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Process created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C copy "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe" "C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe'" /f
Source: vbc.exe, 0000001B.00000002.4154025246.000000000063B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerWe
Source: vbc.exe, 0000001B.00000002.4154025246.000000000063B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managerqe
Source: vbc.exe, 0000001B.00000002.4154025246.0000000000627000.00000004.00000020.00020000.00000000.sdmp, vbc.exe, 0000001B.00000002.4154025246.000000000063B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_00434C52 cpuid 37_2_00434C52
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: EnumSystemLocalesW, 37_2_00452036
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: GetLocaleInfoW, 37_2_004488ED
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: GetLocaleInfoW, 37_2_00452313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: EnumSystemLocalesW, 37_2_00448404
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 37_2_0045243C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 37_2_00451CD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: GetLocaleInfoW, 37_2_00452543
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 37_2_00452610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: EnumSystemLocalesW, 37_2_00451F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: EnumSystemLocalesW, 37_2_00451F9B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: GetLocaleInfoA, 37_2_0040F8D1
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Queries volume information: C:\Users\user\Desktop\Certificate_of_registration.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Phtos\Phtos.exe VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_00448957 GetSystemTimeAsFileTime, 37_2_00448957
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_0041B60D GetComputerNameExW,GetUserNameW, 37_2_0041B60D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Code function: 37_2_004493AD _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 37_2_004493AD
Source: C:\Users\user\Desktop\Certificate_of_registration.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.9.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.9.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Certificate_of_registration.exe.3ecdf90.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Certificate_of_registration.exe.3e55570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000037.00000002.3847813442.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.4154025246.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000002.3247652736.0000000005337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.4154025246.000000000063B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.2648148319.00000000051D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1883825441.0000000000859000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Certificate_of_registration.exe PID: 7264, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7004, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1720, type: MEMORYSTR

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-Q2SG61 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-Q2SG61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-Q2SG61
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-Q2SG61
Yara detected Remcos RAT
Source: Yara match File source: 1.2.vbc.exe.800000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Certificate_of_registration.exe.3ecdf90.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Certificate_of_registration.exe.3e55570.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Certificate_of_registration.exe.3ecdf90.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Certificate_of_registration.exe.3e55570.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000037.00000002.3847813442.0000000000C67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.4154025246.0000000000627000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000002E.00000002.3247652736.0000000005337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.4154025246.000000000063B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.2648148319.00000000051D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1883825441.0000000000859000.00000002.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1740107765.0000000003E51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Certificate_of_registration.exe PID: 7264, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 7004, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: vbc.exe PID: 1720, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1465318 Sample: Certificate_of_registration.exe Startdate: 01/07/2024 Architecture: WINDOWS Score: 100 63 busbuctomorrrw.ddns.net 2->63 77 Snort IDS alert for network traffic 2->77 79 Found malware configuration 2->79 81 Malicious sample detected (through community Yara rule) 2->81 85 7 other signatures 2->85 8 Certificate_of_registration.exe 2 2->8         started        12 Phtos.exe 1 2->12         started        14 Phtos.exe 2->14         started        16 3 other processes 2->16 signatures3 83 Uses dynamic DNS services 63->83 process4 file5 61 C:\...\Certificate_of_registration.exe.log, CSV 8->61 dropped 87 Writes to foreign memory regions 8->87 89 Allocates memory in foreign processes 8->89 91 Injects a PE file into a foreign processes 8->91 18 vbc.exe 8->18         started        21 cmd.exe 3 8->21         started        24 cmd.exe 2 8->24         started        26 cmd.exe 1 8->26         started        93 Multi AV Scanner detection for dropped file 12->93 95 Machine Learning detection for dropped file 12->95 33 4 other processes 12->33 28 vbc.exe 3 14->28         started        35 3 other processes 14->35 31 vbc.exe 16->31         started        37 11 other processes 16->37 signatures6 process7 dnsIp8 67 Contains functionalty to change the wallpaper 18->67 69 Contains functionality to register a low level keyboard hook 18->69 71 Delayed program exit found 18->71 39 WerFault.exe 22 16 18->39         started        57 C:\Users\user\AppData\Local\...\Phtos.exe, PE32 21->57 dropped 59 C:\Users\user\...\Phtos.exe:Zone.Identifier, ASCII 21->59 dropped 41 conhost.exe 21->41         started        73 Uses schtasks.exe or at.exe to add and modify task schedules 24->73 43 conhost.exe 24->43         started        45 conhost.exe 26->45         started        47 schtasks.exe 1 26->47         started        65 busbuctomorrrw.ddns.net 109.248.151.250, 65010, 65011, 65012 DATACLUBLV Russian Federation 28->65 75 Detected Remcos RAT 28->75 49 WerFault.exe 21 33->49         started        51 4 other processes 33->51 53 4 other processes 35->53 55 12 other processes 37->55 file9 signatures10 process11
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
109.248.151.250
 busbuctomorrrw.ddns.net Russian Federation
52048 DATACLUBLV true

Contacted Domains

Name IP Active
busbuctomorrrw.ddns.net 109.248.151.250 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
morrrw.ddns.net true
  • Avira URL Cloud: safe
 unknown