Windows Analysis Report
LisectAVT_2403002A_348.exe

Overview

General Information

Sample name: LisectAVT_2403002A_348.exe
Analysis ID: 1481037
MD5: ca7297cac9b020daf21baae3555afc82
SHA1: 1cfc7b42bbc3a18ed7e7c4610b0ccb15a7e41328
SHA256: 0578e5041013dbc9f824090abb81d1986ae39ed5a4500d6ad4080fb02ce0bb0d
Tags: exe
Infos:

Detection

Njrat
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Njrat
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Creates an undocumented autostart registry key
Creates files with lurking names (e.g. Crack.exe)
Disables zone checking for all users
Hides threads from debuggers
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: System File Execution Location Anomaly
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Tries to evade analysis by execution special instruction (VM detection)
Uses dynamic DNS services
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Use Short Name Path in Command Line
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
NjRAT RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim's camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim's desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.
  • AQUATIC PANDA
  • Earth Lusca
  • Operation C-Major
  • The Gorgon Group
 https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: LisectAVT_2403002A_348.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe Avira: detection malicious, Label: TR/Dropper.Gen
Found malware configuration
Source: 00000000.00000002.1340370522.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Njrat {"Host": "dllsys.duckdns.org", "Port": "3202", "Version": "0.7d", "Campaign ID": "HacKed", "Registry": "Software\\Microsoft\\Windows\\CurrentVersion\\Run", "Startup": "3b570ffeeb3d34249b9a5ce0ee58a328"}
Multi AV Scanner detection for domain / URL
Source: dllsys.duckdns.org Virustotal: Detection: 10% Perma Link
Source: https://breaking-security.net/remcos/changelog Virustotal: Detection: 5% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe Virustotal: Detection: 69% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe ReversingLabs: Detection: 17%
Multi AV Scanner detection for submitted file
Source: LisectAVT_2403002A_348.exe ReversingLabs: Detection: 68%
Source: LisectAVT_2403002A_348.exe Virustotal: Detection: 69% Perma Link
Yara detected Njrat
Source: Yara match File source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.3711157096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.3726257795.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1340370522.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_348.exe PID: 4472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: taskhost.exe PID: 4040, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 92.2% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: LisectAVT_2403002A_348.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: LisectAVT_2403002A_348.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: LisectAVT_2403002A_348.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Utente\Desktop\njRAT v0.7d Professional Edition By Dark .NET\njRAT v0.7d Professional Edition By Dark .NET\NJ RAT 7 Stub Source\Nero 7\Nero 7\obj\x86\Release\Nero 7.pdb source: LisectAVT_2403002A_348.exe, 00000000.00000002.1340370522.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000013.00000002.3711157096.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: taskhost.exe, 00000013.00000000.1334129012.0000000000B82000.00000002.00000001.01000000.0000000B.sdmp, taskhost.exe.0.dr

Networking
barindex
Uses dynamic DNS services
Source: unknown DNS query: name: dllsys.duckdns.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49704 -> 84.220.8.178:3202
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TISCALI-IT TISCALI-IT
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: dllsys.duckdns.org
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://breaking-security.net/terms
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://breaking-security.net/termsopenU
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://breakingsec02.co.nf/Remcos/logaccess.php?DATA=
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://breakingsec02.co.nf/Remcos/upd_free.txtU
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.geoplugin.net
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.geoplugin.net/json.gp?ip=
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: http://www.geoplugin.netU
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1349983964.0000000004BBB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://Breaking-Security.net
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1348743141.0000000004888000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://Breaking-Security.netpf
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/clientarea/support
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/clientarea/supportopenU
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/contact
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/contactopenU
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/forum
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/forumopenU
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/keylogger
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/keyloggeropenU
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/meteorite-downloader
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/meteorite-downloaderopenU
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/octopus
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/octopusopenU
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/poseidon
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/poseidonopenU
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/remcos
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/remcos/changelog
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/remcos/changelogopenCongratulations
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/remcos/manual
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/remcos/manualopenU
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/remcosopenU
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/shop/remcos/
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/shop/remcos/open
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/source-codes/delphisources
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/source-codes/delphisourcesopenU
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/terms
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/termsopenU
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/viotto-binder
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.net/viotto-binderopenU
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp String found in binary or memory: https://breaking-security.netopenU

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, kl.cs .Net Code: VKCodeToUnicode
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, kl.cs .Net Code: VKCodeToUnicode
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Code function: 19_2_02D37C51 GetKeyState,GetKeyState,GetKeyState, 19_2_02D37C51

E-Banking Fraud
barindex
Yara detected Njrat
Source: Yara match File source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.3711157096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.3726257795.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1340370522.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_348.exe PID: 4472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: taskhost.exe PID: 4040, type: MEMORYSTR

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE Matched rule: Detects malware from disclosed CN malware set Author: Florian Roth
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, type: UNPACKEDPE Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, type: UNPACKEDPE Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects NjRAT / Bladabindi Author: ditekSHen
Source: 00000013.00000002.3711157096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000013.00000002.3711157096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000013.00000002.3711157096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1340370522.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 Author: unknown
Source: 00000000.00000002.1340370522.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Identify njRat Author: Brian Wallace @botnet_hunter
Source: 00000000.00000002.1340370522.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: detect njRAT in memory Author: JPCERT/CC Incident Response Group
Creates files with lurking names (e.g. Crack.exe)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe File created: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Jump to behavior
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process Stats: CPU usage > 49%
Detected potential crypto function
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Code function: 0_2_01EE9AA3 0_2_01EE9AA3
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Code function: 0_2_01EE6267 0_2_01EE6267
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Code function: 0_2_01EED48A 0_2_01EED48A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Code function: 0_2_01EEEB60 0_2_01EEEB60
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Code function: 0_2_01EEBDE8 0_2_01EEBDE8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Code function: 0_2_01EE6DB1 0_2_01EE6DB1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Code function: 0_2_09476844 0_2_09476844
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Code function: 0_2_09475338 0_2_09475338
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Code function: 0_2_09473441 0_2_09473441
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Code function: 0_2_09477F40 0_2_09477F40
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Code function: 19_2_02D32C60 19_2_02D32C60
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Code function: 19_2_02D32C54 19_2_02D32C54
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Code function: 19_2_02D377D1 19_2_02D377D1
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe 4EA203509D0FDFF3E31F976413C546CA3D36133BC708E9A1301860961CC3A8D9
PE file contains more sections than normal
Source: Remcos Professional Cracked By Alcatraz3222.exe.0.dr Static PE information: Number of sections : 12 > 10
Sample file is different than original file name gathered from version info
Source: LisectAVT_2403002A_348.exe, 00000000.00000002.1338758211.0000000001F1E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs LisectAVT_2403002A_348.exe
Source: LisectAVT_2403002A_348.exe, 00000000.00000002.1340370522.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameNero 7.exe. vs LisectAVT_2403002A_348.exe
Uses 32bit PE files
Source: LisectAVT_2403002A_348.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\user~1\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
Yara signature match
Source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE Matched rule: CN_disclosed_20180208_c date = 2018-02-08, hash1 = 17475d25d40c877284e73890a9dd55fccedc6a5a071c351a8c342c8ef7f9cea7, author = Florian Roth, description = Detects malware from disclosed CN malware set, reference = https://twitter.com/cyberintproject/status/961714165550342146, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, type: UNPACKEDPE Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, type: UNPACKEDPE Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_NjRAT author = ditekSHen, description = Detects NjRAT / Bladabindi
Source: 00000013.00000002.3711157096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000013.00000002.3711157096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000013.00000002.3711157096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: 00000000.00000002.1340370522.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Njrat_30f3c220 reference_sample = 741a0f3954499c11f9eddc8df7c31e7c59ca41f1a7005646735b8b1d53438c1b, os = windows, severity = x86, creation_date = 2021-06-13, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Njrat, fingerprint = d15e131bca6beddcaecb20fffaff1784ad8a33a25e7ce90f7450d1a362908cc4, id = 30f3c220-b8dc-45a1-bcf0-027c2f76fa63, last_modified = 2021-10-04
Source: 00000000.00000002.1340370522.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: njrat1 date = 2015-05-27, author = Brian Wallace @botnet_hunter, description = Identify njRat, author_email = bwall@ballastsecurity.net
Source: 00000000.00000002.1340370522.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Njrat hash1 = d5f63213ce11798879520b0e9b0d1b68d55f7727758ec8c120e370699a41379d, author = JPCERT/CC Incident Response Group, description = detect njRAT in memory, rule_usage = memory scan
Source: LisectAVT_2403002A_348.exe, -vd.cs Cryptographic APIs: 'CreateDecryptor'
Source: LisectAVT_2403002A_348.exe, -vd.cs Cryptographic APIs: 'TransformFinalBlock'
Source: taskhost.exe.0.dr, TaskParameter.cs Task registration methods: 'CreateNewTaskItemFrom'
Source: taskhost.exe.0.dr, OutOfProcTaskHostNode.cs Task registration methods: 'RegisterTaskObject', 'UnregisterPacketHandler', 'RegisterPacketHandler', 'UnregisterTaskObject', 'GetRegisteredTaskObject'
Source: taskhost.exe.0.dr, TaskLoader.cs Task registration methods: 'CreateTask'
Source: taskhost.exe.0.dr, RegisteredTaskObjectCacheBase.cs Task registration methods: 'GetLazyCollectionForLifetime', 'RegisterTaskObject', 'DisposeObjects', 'IsCollectionEmptyOrUncreated', 'UnregisterTaskObject', 'DisposeCacheObjects', 'GetRegisteredTaskObject', 'GetCollectionForLifetime'
Source: taskhost.exe.0.dr, CommunicationsUtilities.cs Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: taskhost.exe.0.dr, CommunicationsUtilities.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: taskhost.exe.0.dr, NodeEndpointOutOfProcBase.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent(bool)
Source: taskhost.exe.0.dr, NodeEndpointOutOfProcBase.cs Security API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: taskhost.exe.0.dr, NodeEndpointOutOfProcBase.cs Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: taskhost.exe, 00000013.00000000.1334129012.0000000000B82000.00000002.00000001.01000000.0000000B.sdmp, taskhost.exe.0.dr Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: taskhost.exe, 00000013.00000000.1334129012.0000000000B82000.00000002.00000001.01000000.0000000B.sdmp, taskhost.exe.0.dr Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: taskhost.exe, 00000013.00000000.1334129012.0000000000B82000.00000002.00000001.01000000.0000000B.sdmp, taskhost.exe.0.dr Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: taskhost.exe, 00000013.00000000.1334129012.0000000000B82000.00000002.00000001.01000000.0000000B.sdmp, taskhost.exe.0.dr Binary or memory string: *.sln
Source: taskhost.exe, 00000013.00000000.1334129012.0000000000B82000.00000002.00000001.01000000.0000000B.sdmp, taskhost.exe.0.dr Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: taskhost.exe, 00000013.00000000.1334129012.0000000000B82000.00000002.00000001.01000000.0000000B.sdmp, taskhost.exe.0.dr Binary or memory string: /ignoreprojectextensions:.sln
Source: taskhost.exe, 00000013.00000000.1334129012.0000000000B82000.00000002.00000001.01000000.0000000B.sdmp, taskhost.exe.0.dr Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
Source: classification engine Classification label: mal100.phis.troj.spyw.evad.winEXE@20/9@4/1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LisectAVT_2403002A_348.exe.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4040:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7164:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Mutant created: \Sessions\1\BaseNamedObjects\REMCOS_C&C_MUTEX
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5456:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Mutant created: \Sessions\1\BaseNamedObjects\3b570ffeeb3d34249b9a5ce0ee58a328
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2620:120:WilError_03
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe File created: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Jump to behavior
Source: LisectAVT_2403002A_348.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: LisectAVT_2403002A_348.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: LisectAVT_2403002A_348.exe ReversingLabs: Detection: 68%
Source: LisectAVT_2403002A_348.exe Virustotal: Detection: 69%
Source: unknown Process created: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe "C:\Users\user\Desktop\LisectAVT_2403002A_348.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process created: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe "C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy "C:/Users/user/Desktop/LisectAVT_2403002A_348.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\user~1\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process created: C:\Users\user\AppData\Local\Temp\taskhost.exe "C:\Users\user~1\AppData\Local\Temp\taskhost.exe"
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process created: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe "C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy "C:/Users/user/Desktop/LisectAVT_2403002A_348.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\user~1\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: dfddccccccccccccccccccccccccccccccccccccccccccccccccccccddddfll.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: dfddccccccccccccccccccccccccccccccccccccccccccccccccccccddddfll.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: dfddccccccccccccccccccccccccccccccccccccccccccccccccccccddddfll.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: dfddccccccccccccccccccccccccccccccccccccccccccccccccccccddddfll.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: avicap32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: msvfw32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ifmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasmontr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mfc42u.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: authfwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwpolicyiomgr.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: firewallapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcmonitor.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3cfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dot3api.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: onex.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: eappprxy.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: fwcfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: hnetmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netshell.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netsetupapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: netiohlp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: httpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: activeds.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: polstore.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winipsec.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: adsldpc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: nshwfp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2pnetsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: p2p.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rpcnsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: whhelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlancfg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wlanapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wshelper.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wevtapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: peerdistsh.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wcmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: rmclient.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mobilenetworking.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: ktmw32.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: mprmsg.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Window found: window name: TComboBox Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: LisectAVT_2403002A_348.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: LisectAVT_2403002A_348.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: LisectAVT_2403002A_348.exe Static file information: File size 18539223 > 1048576
Source: LisectAVT_2403002A_348.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x1160200
Source: LisectAVT_2403002A_348.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\Utente\Desktop\njRAT v0.7d Professional Edition By Dark .NET\njRAT v0.7d Professional Edition By Dark .NET\NJ RAT 7 Stub Source\Nero 7\Nero 7\obj\x86\Release\Nero 7.pdb source: LisectAVT_2403002A_348.exe, 00000000.00000002.1340370522.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000013.00000002.3711157096.0000000000402000.00000040.00000400.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: taskhost.exe, 00000013.00000000.1334129012.0000000000B82000.00000002.00000001.01000000.0000000B.sdmp, taskhost.exe.0.dr

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: LisectAVT_2403002A_348.exe, -0c.cs .Net Code: _0023Xc System.Reflection.Assembly.Load(byte[])
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, OK.cs .Net Code: Plugin System.Reflection.Assembly.Load(byte[])
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .viotto1
PE file contains sections with non-standard names
Source: Remcos Professional Cracked By Alcatraz3222.exe.0.dr Static PE information: section name: .didata
Source: Remcos Professional Cracked By Alcatraz3222.exe.0.dr Static PE information: section name: .viotto0
Source: Remcos Professional Cracked By Alcatraz3222.exe.0.dr Static PE information: section name: .viotto1
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Code function: 0_2_01EE5B7D push ebp; iretd 0_2_01EE5B88
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Code function: 19_2_02D313C3 pushad ; iretd 19_2_02D313C2
Drops PE files
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe File created: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe File created: C:\Users\user\AppData\Local\Temp\taskhost.exe Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe Jump to dropped file

Boot Survival
barindex
Creates an undocumented autostart registry key
Source: C:\Windows\SysWOW64\reg.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Load Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Memory written: PID: 3732 base: 2B10005 value: E9 2B BA C1 74 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Memory written: PID: 3732 base: 7772BA30 value: E9 DA 45 3E 8B Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Memory written: PID: 3732 base: 2D10008 value: E9 8B 8E A6 74 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Memory written: PID: 3732 base: 77778E90 value: E9 80 71 59 8B Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Memory written: PID: 3732 base: 2D20005 value: E9 8B 4D D1 72 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Memory written: PID: 3732 base: 75A34D90 value: E9 7A B2 2E 8D Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Memory written: PID: 3732 base: 4730005 value: E9 EB EB 31 71 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Memory written: PID: 3732 base: 75A4EBF0 value: E9 1A 14 CE 8E Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Memory written: PID: 3732 base: 4740005 value: E9 8B 8A E9 71 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Memory written: PID: 3732 base: 765D8A90 value: E9 7A 75 16 8E Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Memory written: PID: 3732 base: 4750005 value: E9 2B 02 EB 71 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Memory written: PID: 3732 base: 76600230 value: E9 DA FD 14 8E Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Memory written: PID: 3732 base: 4770005 value: E9 8B 2F FF 72 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Memory written: PID: 3732 base: 77762F90 value: E9 7A D0 00 8D Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Memory written: PID: 3732 base: 4780007 value: E9 EB DF 01 73 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Memory written: PID: 3732 base: 7779DFF0 value: E9 1E 20 FE 8C Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_348.exe PID: 4472, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344777805.0000000000762000.00000020.00000001.01000000.00000007.sdmp Binary or memory string: SBIEDLL.DLL
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe RDTSC instruction interceptor: First address: 18896CF second address: 18896E8 instructions: 0x00000000 rdtsc 0x00000002 ror cl, 1 0x00000004 dec dl 0x00000006 not cl 0x00000008 sub cl, FFFFFF82h 0x0000000b sub dx, di 0x0000000e bsr edx, esp 0x00000011 xor bl, cl 0x00000013 dec ax 0x00000016 sal eax, FFFFFFE6h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe RDTSC instruction interceptor: First address: 1963009 second address: 1846175 instructions: 0x00000000 rdtsc 0x00000002 adc ax, si 0x00000005 jmp 00007F927CBB3D8Ah 0x0000000a movzx ecx, byte ptr [edi] 0x0000000d btc ax, FFE7h 0x00000012 clc 0x00000013 xor cl, bl 0x00000015 xchg ax, dx 0x00000017 sal dh, cl 0x00000019 add cl, FFFFFFE2h 0x0000001c sar edx, 29h 0x0000001f adc eax, 4AD259B5h 0x00000024 xor cl, 0000001Fh 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe RDTSC instruction interceptor: First address: 18C994F second address: 18C995A instructions: 0x00000000 rdtsc 0x00000002 not cl 0x00000004 bt ax, 0032h 0x00000009 add eax, ebp 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe RDTSC instruction interceptor: First address: 18C995A second address: 18C997C instructions: 0x00000000 rdtsc 0x00000002 xor cl, 00000051h 0x00000005 shl al, FFFFFF88h 0x00000008 movsx dx, ch 0x0000000c cdq 0x0000000d neg cl 0x0000000f btc ax, dx 0x00000013 ror eax, 3Ah 0x00000016 not cl 0x00000018 ror dx, cl 0x0000001b movzx edx, di 0x0000001e ror cl, 1 0x00000020 xor bl, cl 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe RDTSC instruction interceptor: First address: 1505987 second address: 1505992 instructions: 0x00000000 rdtsc 0x00000002 not cl 0x00000004 bt ax, 0032h 0x00000009 add eax, ebp 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe RDTSC instruction interceptor: First address: 1505992 second address: 15059B4 instructions: 0x00000000 rdtsc 0x00000002 xor cl, 00000051h 0x00000005 shl al, FFFFFF88h 0x00000008 movsx dx, ch 0x0000000c cdq 0x0000000d neg cl 0x0000000f btc ax, dx 0x00000013 ror eax, 3Ah 0x00000016 not cl 0x00000018 ror dx, cl 0x0000001b movzx edx, di 0x0000001e ror cl, 1 0x00000020 xor bl, cl 0x00000022 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe RDTSC instruction interceptor: First address: 1129138 second address: 129ECD3 instructions: 0x00000000 rdtsc 0x00000002 sub edi, 00000008h 0x00000008 test dh, dl 0x0000000a mov dword ptr [edi], edx 0x0000000c mov dword ptr [edi+04h], eax 0x0000000f adc ax, 000072BAh 0x00000013 mov eax, dword ptr [esi] 0x00000015 lea esi, dword ptr [esi+00000004h] 0x0000001b clc 0x0000001c xor eax, ebx 0x0000001e ror eax, 03h 0x00000021 jmp 00007F927D1CD0D0h 0x00000026 bswap eax 0x00000028 inc eax 0x00000029 test ebp, 079613ADh 0x0000002f neg eax 0x00000031 sub eax, 26BE4558h 0x00000036 jmp 00007F927D4A81DCh 0x0000003b xor ebx, eax 0x0000003d cmp dx, 19C7h 0x00000042 add ebp, eax 0x00000044 jmp 00007F927CD1781Ah 0x00000049 jmp 00007F927CDC647Ch 0x0000004e lea eax, dword ptr [esp+60h] 0x00000052 jmp 00007F927D0AD33Ah 0x00000057 cmp edi, eax 0x00000059 jmp 00007F927D9CF74Fh 0x0000005e ja 00007F927CA9C65Fh 0x00000064 push ebp 0x00000065 ret 0x00000066 mov ecx, dword ptr [edi] 0x00000068 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe RDTSC instruction interceptor: First address: F77410 second address: F77429 instructions: 0x00000000 rdtsc 0x00000002 ror cl, 1 0x00000004 dec dl 0x00000006 not cl 0x00000008 sub cl, FFFFFF82h 0x0000000b sub dx, di 0x0000000e bsr edx, esp 0x00000011 xor bl, cl 0x00000013 dec ax 0x00000016 sal eax, FFFFFFE6h 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe RDTSC instruction interceptor: First address: 76762B second address: F523BB instructions: 0x00000000 rdtsc 0x00000002 adc ax, si 0x00000005 jmp 00007F927D9B3A9Eh 0x0000000a movzx ecx, byte ptr [edi] 0x0000000d btc ax, FFE7h 0x00000012 clc 0x00000013 xor cl, bl 0x00000015 xchg ax, dx 0x00000017 sal dh, cl 0x00000019 add cl, FFFFFFE2h 0x0000001c sar edx, 29h 0x0000001f adc eax, 4AD259B5h 0x00000024 xor cl, 0000001Fh 0x00000027 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe RDTSC instruction interceptor: First address: 11CEBCC second address: 1247CD7 instructions: 0x00000000 rdtsc 0x00000002 sar al, 00000034h 0x00000005 rol al, cl 0x00000007 mov eax, dword ptr [esp+ecx] 0x0000000a rol dh, cl 0x0000000c lea esi, dword ptr [esi-00000004h] 0x00000012 bts dx, cx 0x00000016 mov dword ptr [esi], eax 0x00000018 lea ebp, dword ptr [ebp-00000004h] 0x0000001e rcr edx, cl 0x00000020 mov edx, dword ptr [ebp+00h] 0x00000024 xor edx, ebx 0x00000026 test edi, 4C1D4763h 0x0000002c cmc 0x0000002d cmp al, CEh 0x0000002f neg edx 0x00000031 sub edx, 16B2299Dh 0x00000037 stc 0x00000038 cmc 0x00000039 clc 0x0000003a ror edx, 02h 0x0000003d stc 0x0000003e clc 0x0000003f bswap edx 0x00000041 cmp bp, 3AA2h 0x00000046 xor ebx, edx 0x00000048 cmp ah, ah 0x0000004a clc 0x0000004b add edi, edx 0x0000004d jmp 00007F927CA55644h 0x00000052 lea edx, dword ptr [esp+60h] 0x00000056 cmp di, sp 0x00000059 test si, 1D39h 0x0000005e cmp esi, edx 0x00000060 jmp 00007F927C97B36Fh 0x00000065 ja 00007F927CB1EAA7h 0x0000006b jmp edi 0x0000006d sub ebp, 00000001h 0x00000073 rdtsc
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe RDTSC instruction interceptor: First address: 11B801E second address: 1268E07 instructions: 0x00000000 rdtsc 0x00000002 sub esi, 00000008h 0x00000008 cmp ebx, edi 0x0000000a mov dword ptr [esi], edx 0x0000000c test edi, esi 0x0000000e mov dword ptr [esi+04h], eax 0x00000011 and eax, edi 0x00000013 stc 0x00000014 sub ebp, 00000004h 0x0000001a mov eax, dword ptr [ebp+00h] 0x0000001e stc 0x0000001f xor eax, ebx 0x00000021 cmc 0x00000022 jmp 00007F927CF844FCh 0x00000027 ror eax, 02h 0x0000002a clc 0x0000002b cmp bl, 00000052h 0x0000002e sub eax, 7802521Eh 0x00000033 ror eax, 1 0x00000035 cmp esi, eax 0x00000037 sub eax, 07845C0Bh 0x0000003c xor ebx, eax 0x0000003e stc 0x0000003f add edi, eax 0x00000041 jmp 00007F927D23D09Ch 0x00000046 jmp 00007F927CDD78AEh 0x0000004b lea eax, dword ptr [esp+60h] 0x0000004f cmp sp, 6C62h 0x00000054 cmc 0x00000055 stc 0x00000056 cmp esi, eax 0x00000058 jmp 00007F927D0596F4h 0x0000005d ja 00007F927D681274h 0x00000063 jmp edi 0x00000065 mov ecx, dword ptr [esi] 0x00000067 cmc 0x00000068 or dl, 0000002Ah 0x0000006b rdtsc
Tries to evade analysis by execution special instruction (VM detection)
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Special instruction interceptor: First address: 1853ACB instructions rdtsc caused by: RDTSC with Trap Flag (TF)
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Memory allocated: 1EE0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Memory allocated: 3CC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Memory allocated: 2150000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Memory allocated: 6260000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Memory allocated: 8260000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Memory allocated: 95F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Memory allocated: B5F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Memory allocated: B870000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Memory allocated: 83A0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Memory allocated: E9F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Memory allocated: 109F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Memory allocated: 129F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Memory allocated: 2CD0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Memory allocated: 2ED0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Memory allocated: 4ED0000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Window / User API: threadDelayed 3804 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Window / User API: threadDelayed 5384 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Window / User API: foregroundWindowGot 1765 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe TID: 2344 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 7072 Thread sleep count: 248 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 7072 Thread sleep time: -248000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 6732 Thread sleep count: 3804 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 7072 Thread sleep count: 5384 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe TID: 7072 Thread sleep time: -5384000s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1349983964.0000000004BBB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: chkVMwareClick
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1348743141.0000000004862000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: VMware
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1349983964.0000000004BBB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TCheckBoxchkVMware
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp Binary or memory string: chkVMware
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1349983964.0000000004BBB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: chkSandboxieClickTCheckBoxchkVMware
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1344401080.0000000000401000.00000020.00000001.01000000.00000007.sdmp Binary or memory string: chkVMware\
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1349983964.0000000004BBB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: chkVMwareClickTCheckBox
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1348743141.00000000047BA000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: chkVMware`
Source: Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000002.1348119929.0000000002A13000.00000004.00000020.00020000.00000000.sdmp, Remcos Professional Cracked By Alcatraz3222.exe, 00000002.00000003.1343959408.0000000002A13000.00000004.00000020.00020000.00000000.sdmp, taskhost.exe, 00000013.00000002.3717374121.00000000012E8000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000015.00000002.1411514810.0000000000DDB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Thread information set: HideFromDebugger Jump to behavior
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe System information queried: KernelDebuggerInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe Process queried: DebugObjectHandle Jump to behavior
Enables debug privileges
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
.NET source code references suspicious native API functions
Source: taskhost.exe.0.dr, NativeMethodsShared.cs Reference to suspicious API methods: OpenProcess(eDesiredAccess.PROCESS_QUERY_INFORMATION, bInheritHandle: false, processIdTokill)
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, kl.cs Reference to suspicious API methods: MapVirtualKey(a, 0u)
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, kl.cs Reference to suspicious API methods: GetAsyncKeyState(num2)
Source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, OK.cs Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Memory allocated: C:\Users\user\AppData\Local\Temp\taskhost.exe base: 400000 protect: page execute and read and write Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Memory written: C:\Users\user\AppData\Local\Temp\taskhost.exe base: 400000 value starts with: 4D5A Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Memory written: C:\Users\user\AppData\Local\Temp\taskhost.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Memory written: C:\Users\user\AppData\Local\Temp\taskhost.exe base: 402000 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Memory written: C:\Users\user\AppData\Local\Temp\taskhost.exe base: 40A000 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Memory written: C:\Users\user\AppData\Local\Temp\taskhost.exe base: 40C000 Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Memory written: C:\Users\user\AppData\Local\Temp\taskhost.exe base: D5C008 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process created: C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe "C:\Users\user\AppData\Local\Temp\Remcos Professional Cracked By Alcatraz3222.exe" Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c copy "C:/Users/user/Desktop/LisectAVT_2403002A_348.exe" "%temp%\Profile Remcos\Update_Lock_Remcos.exe" /Y Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "%temp%\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c echo [zoneTransfer]ZoneID = 2 > %temp%\Profile Remcos\Update_Lock_Remcos.exe:Zone.Identifier Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows" /v Load /t REG_SZ /d "C:\Users\user~1\AppData\Local\Temp\Profile Remcos\Update_Lock_Remcos.exe.lnk" /f Jump to behavior
Source: taskhost.exe, 00000013.00000002.3726257795.0000000002F43000.00000004.00000800.00020000.00000000.sdmp, taskhost.exe, 00000013.00000002.3717374121.00000000012E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: taskhost.exe, 00000013.00000002.3717374121.00000000012E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Managero
Source: taskhost.exe, 00000013.00000002.3726257795.0000000002F43000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager@\
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Queries volume information: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Queries volume information: C:\Users\user\AppData\Local\Temp\taskhost.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_348.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disables zone checking for all users
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS Jump to behavior
Modifies the windows firewall
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\AppData\Local\Temp\taskhost.exe Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram "C:\Users\user\AppData\Local\Temp\taskhost.exe" "taskhost.exe" ENABLE

Stealing of Sensitive Information
barindex
Yara detected Njrat
Source: Yara match File source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.3711157096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.3726257795.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1340370522.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_348.exe PID: 4472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: taskhost.exe PID: 4040, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Njrat
Source: Yara match File source: 19.2.taskhost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_348.exe.3d9f0e0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.LisectAVT_2403002A_348.exe.3d97844.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000013.00000002.3711157096.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.3726257795.0000000002ED1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1340370522.0000000003CE4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: LisectAVT_2403002A_348.exe PID: 4472, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: taskhost.exe PID: 4040, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1481037 Sample: LisectAVT_2403002A_348.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 49 dllsys.duckdns.org 2->49 53 Multi AV Scanner detection for domain / URL 2->53 55 Found malware configuration 2->55 57 Malicious sample detected (through community Yara rule) 2->57 61 16 other signatures 2->61 9 LisectAVT_2403002A_348.exe 9 2->9         started        signatures3 59 Uses dynamic DNS services 49->59 process4 file5 41 Remcos Professiona...By Alcatraz3222.exe, PE32 9->41 dropped 43 C:\Users\user\...\Update_Lock_Remcos.exe.lnk, MS 9->43 dropped 45 C:\Users\user\...\Update_Lock_Remcos.exe.bat, ASCII 9->45 dropped 47 2 other files (1 malicious) 9->47 dropped 63 Creates files with lurking names (e.g. Crack.exe) 9->63 65 Writes to foreign memory regions 9->65 67 Allocates memory in foreign processes 9->67 69 Injects a PE file into a foreign processes 9->69 13 taskhost.exe 3 2 9->13         started        17 Remcos Professional Cracked By Alcatraz3222.exe 9->17         started        19 cmd.exe 3 9->19         started        22 2 other processes 9->22 signatures6 process7 dnsIp8 51 dllsys.duckdns.org 84.220.8.178, 3202, 49704, 49705 TISCALI-IT Italy 13->51 73 Disables zone checking for all users 13->73 75 Uses netsh to modify the Windows network and firewall settings 13->75 77 Modifies the windows firewall 13->77 24 netsh.exe 2 13->24         started        79 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 17->79 81 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 17->81 83 Hides threads from debuggers 17->83 37 C:\Users\user\...\Update_Lock_Remcos.exe, PE32 19->37 dropped 39 C:\...\Update_Lock_Remcos.exe:Zone.Identifier, ASCII 19->39 dropped 26 conhost.exe 19->26         started        28 reg.exe 1 1 22->28         started        31 conhost.exe 22->31         started        33 conhost.exe 22->33         started        file9 signatures10 process11 signatures12 35 conhost.exe 24->35         started        71 Creates an undocumented autostart registry key 28->71 process13
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
84.220.8.178
 dllsys.duckdns.org Italy
8612 TISCALI-IT true

Contacted Domains

Name IP Active
dllsys.duckdns.org 84.220.8.178 true