Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Avira: detected |
Source: 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmp |
Malware Configuration Extractor: Remcos {"Host:Port:Password": "2024remcmon.duckdns.org:14645:1", "Assigned name": "zynova", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R2I0JW", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"} |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
ReversingLabs: Detection: 89% |
Source: Yara match |
File source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe PID: 6976, type: MEMORYSTR |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 100.0% probability |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00433837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, |
0_2_00433837 |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: -----BEGIN PUBLIC KEY----- |
memstr_9fded3bc-b |
Source: Yara match |
File source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe PID: 6976, type: MEMORYSTR |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_004074FD _wcslen,CoGetObject, |
0_2_004074FD |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
0_2_00409253 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
0_2_0041C291 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
0_2_0040C34D |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
0_2_00409665 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0044E879 FindFirstFileExA, |
0_2_0044E879 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
0_2_0040880C |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0040783C FindFirstFileW,FindNextFileW, |
0_2_0040783C |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, |
0_2_00419AF5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
0_2_0040BB30 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
0_2_0040BD37 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, |
0_2_00407C97 |
Source: Malware configuration extractor |
URLs: 2024remcmon.duckdns.org |
Source: unknown |
DNS query: name: 2024remcmon.duckdns.org |
Source: global traffic |
HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache |
Source: Joe Sandbox View |
IP Address: 192.210.214.9 192.210.214.9 |
Source: Joe Sandbox View |
IP Address: 178.237.33.50 178.237.33.50 |
Source: Joe Sandbox View |
ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0041B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle, |
0_2_0041B380 |
Source: global traffic |
HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache |
Source: global traffic |
DNS traffic detected: DNS query: 2024remcmon.duckdns.org |
Source: global traffic |
DNS traffic detected: DNS query: geoplugin.net |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000003.2008262902.0000000000689000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/ |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/2 |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000003.2008262902.0000000000660000.00000004.00000020.00020000.00000000.sdmp, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.0000000000660000.00000004.00000020.00020000.00000000.sdmp, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000003.2008262902.0000000000680000.00000004.00000020.00020000.00000000.sdmp, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.0000000000680000.00000004.00000020.00020000.00000000.sdmp, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
String found in binary or memory: http://geoplugin.net/json.gp/C |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000003.2008262902.0000000000660000.00000004.00000020.00020000.00000000.sdmp, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.0000000000660000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gpK |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gpSystem32 |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000003.2008262902.0000000000660000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gpU |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000003.2008262902.0000000000660000.00000004.00000020.00020000.00000000.sdmp, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.0000000000660000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gpl |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0040A2B8 SetWindowsHookExA 0000000D,0040A2A4,00000000 |
0_2_0040A2B8 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard, |
0_2_0040B70E |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_004168C1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, |
0_2_004168C1 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0040B70E OpenClipboard,GetClipboardData,CloseClipboard, |
0_2_0040B70E |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0040A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, |
0_2_0040A3E0 |
Source: Yara match |
File source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe PID: 6976, type: MEMORYSTR |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0041C9E2 SystemParametersInfoW, |
0_2_0041C9E2 |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe PID: 6976, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_004132D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle, |
0_2_004132D2 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0041BB09 OpenProcess,NtSuspendProcess,CloseHandle, |
0_2_0041BB09 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0041BB35 OpenProcess,NtResumeProcess,CloseHandle, |
0_2_0041BB35 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_004167B4 ExitWindowsEx,LoadLibraryA,GetProcAddress, |
0_2_004167B4 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0043E0CC |
0_2_0043E0CC |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0041F0FA |
0_2_0041F0FA |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00454159 |
0_2_00454159 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00438168 |
0_2_00438168 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_004461F0 |
0_2_004461F0 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0043E2FB |
0_2_0043E2FB |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0045332B |
0_2_0045332B |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0042739D |
0_2_0042739D |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_004374E6 |
0_2_004374E6 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0043E558 |
0_2_0043E558 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00438770 |
0_2_00438770 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_004378FE |
0_2_004378FE |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00433946 |
0_2_00433946 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0044D9C9 |
0_2_0044D9C9 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00427A46 |
0_2_00427A46 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0041DB62 |
0_2_0041DB62 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00427BAF |
0_2_00427BAF |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00437D33 |
0_2_00437D33 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00435E5E |
0_2_00435E5E |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00426E0E |
0_2_00426E0E |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0043DE9D |
0_2_0043DE9D |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00413FCA |
0_2_00413FCA |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00436FEA |
0_2_00436FEA |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: String function: 00434E10 appears 54 times |
|
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: String function: 00402093 appears 50 times |
|
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: String function: 00434770 appears 42 times |
|
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: String function: 00401E65 appears 35 times |
|
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe PID: 6976, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: classification engine |
Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/1@2/2 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00417952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, |
0_2_00417952 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0040F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, |
0_2_0040F474 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0041B4A8 FindResourceA,LoadResource,LockResource,SizeofResource, |
0_2_0041B4A8 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, |
0_2_0041AA4A |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Mutant created: \Sessions\1\BaseNamedObjects\Rmc-R2I0JW |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: PG |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: PG |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: Software\ |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: Rmc-R2I0JW |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: Exe |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: Exe |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: Rmc-R2I0JW |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: Inj |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: Inj |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: PG |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: PG |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: PG |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: 8)b |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: 8)b |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: 8)b |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: 8SG |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: 8)b |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: exepath |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: PG |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: 8SG |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: exepath |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: 8)b |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: PG |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: licence |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: PG |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: PG |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: PG |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: PG |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: PG |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: PG |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: dMG |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: PG |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: PG |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: PSG |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: Administrator |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: User |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: del |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: del |
0_2_0040E9C5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Command line argument: del |
0_2_0040E9C5 |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
ReversingLabs: Detection: 89% |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: rstrtmgr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, |
0_2_0041CB50 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00457106 push ecx; ret |
0_2_00457119 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00457A28 push eax; ret |
0_2_00457A46 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00434E56 push ecx; ret |
0_2_00434E69 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00406EB0 ShellExecuteW,URLDownloadToFileW, |
0_2_00406EB0 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0041AA4A OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, |
0_2_0041AA4A |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, |
0_2_0041CB50 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0040F7A7 Sleep,ExitProcess, |
0_2_0040F7A7 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, |
0_2_0041A748 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Window / User API: threadDelayed 1450 |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Window / User API: threadDelayed 8542 |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe TID: 360 |
Thread sleep count: 1450 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe TID: 360 |
Thread sleep time: -4350000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe TID: 360 |
Thread sleep count: 8542 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe TID: 360 |
Thread sleep time: -25626000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00409253 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
0_2_00409253 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0041C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
0_2_0041C291 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0040C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
0_2_0040C34D |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00409665 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
0_2_00409665 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0044E879 FindFirstFileExA, |
0_2_0044E879 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0040880C __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
0_2_0040880C |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0040783C FindFirstFileW,FindNextFileW, |
0_2_0040783C |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00419AF5 FindFirstFileW,FindNextFileW,FindNextFileW, |
0_2_00419AF5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0040BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
0_2_0040BB30 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0040BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
0_2_0040BD37 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00407C97 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, |
0_2_00407C97 |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000003.2008262902.0000000000698000.00000004.00000020.00020000.00000000.sdmp, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446573079.0000000000698000.00000004.00000020.00020000.00000000.sdmp, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_004349F9 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0041CB50 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, |
0_2_0041CB50 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_004432B5 mov eax, dword ptr fs:[00000030h] |
0_2_004432B5 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00412077 GetProcessHeap,HeapFree, |
0_2_00412077 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_004349F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_004349F9 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00434B47 SetUnhandledExceptionFilter, |
0_2_00434B47 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0043BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_0043BB22 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00434FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00434FDC |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe |
0_2_004120F7 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00419627 mouse_event, |
0_2_00419627 |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446573079.0000000000692000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446573079.0000000000692000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager |
Source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.0000000000660000.00000004.00000020.00020000.00000000.sdmp, 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: |Program Manager| |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00434C52 cpuid |
0_2_00434C52 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: GetLocaleInfoA, |
0_2_0040F8D1 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: EnumSystemLocalesW, |
0_2_00452036 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
0_2_004520C3 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: GetLocaleInfoW, |
0_2_00452313 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: EnumSystemLocalesW, |
0_2_00448404 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
0_2_0045243C |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: GetLocaleInfoW, |
0_2_00452543 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
0_2_00452610 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: GetLocaleInfoW, |
0_2_004488ED |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
0_2_00451CD8 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: EnumSystemLocalesW, |
0_2_00451F50 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: EnumSystemLocalesW, |
0_2_00451F9B |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00404F51 GetLocalTime,CreateEventA,CreateThread, |
0_2_00404F51 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_0041B60D GetComputerNameExW,GetUserNameW, |
0_2_0041B60D |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: 0_2_00449190 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, |
0_2_00449190 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid |
Jump to behavior |
Source: Yara match |
File source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe PID: 6976, type: MEMORYSTR |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data |
0_2_0040BA12 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ |
0_2_0040BB30 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: \key3.db |
0_2_0040BB30 |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Mutex created: \Sessions\1\BaseNamedObjects\Rmc-R2I0JW |
Jump to behavior |
Source: Yara match |
File source: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.1984087805.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4446227426.0000000000459000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4446412767.000000000061E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe PID: 6976, type: MEMORYSTR |
Source: C:\Users\user\Desktop\1722001145c8336cb6887f0bbe0b12744f5c43638979603a57a5fc96eb7f34015fb312b4f7920.dat-decoded.exe |
Code function: cmd.exe |
0_2_0040569A |