Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Avira: detected |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Malware Configuration Extractor: Remcos {"Host:Port:Password": ["148.113.165.11:4090:0"], "Assigned name": "xx1", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "asasasa-H4TBM8", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""} |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
ReversingLabs: Detection: 73% |
Source: Yara match |
File source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.2027433393.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4482766709.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4482921229.000000000070E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe PID: 4396, type: MEMORYSTR |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 99.8% probability |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Joe Sandbox ML: detected |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, |
0_2_0043293A |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000002.4482766709.0000000000457000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: -----BEGIN PUBLIC KEY----- |
memstr_bc590a65-a |
Source: Yara match |
File source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.2027433393.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4482766709.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe PID: 4396, type: MEMORYSTR |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00406764 _wcslen,CoGetObject, |
0_2_00406764 |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
0_2_0040B335 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, |
0_2_0041B42F |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
0_2_0040B53A |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0044D5E9 FindFirstFileExA, |
0_2_0044D5E9 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, |
0_2_004089A9 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00406AC2 FindFirstFileW,FindNextFileW, |
0_2_00406AC2 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, |
0_2_00407A8C |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW, |
0_2_00418C69 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, |
0_2_00408DA7 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, |
0_2_00406F06 |
Source: Network traffic |
Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49704 -> 148.113.165.11:4090 |
Source: Network traffic |
Suricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 148.113.165.11:4090 -> 192.168.2.5:49704 |
Source: Malware configuration extractor |
IPs: 148.113.165.11 |
Source: global traffic |
TCP traffic: 192.168.2.5:49704 -> 148.113.165.11:4090 |
Source: global traffic |
HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache |
Source: Joe Sandbox View |
IP Address: 148.113.165.11 148.113.165.11 |
Source: Joe Sandbox View |
IP Address: 178.237.33.50 178.237.33.50 |
Source: Joe Sandbox View |
ASN Name: GOOGLE-PRIVATE-CLOUDUS GOOGLE-PRIVATE-CLOUDUS |
Source: Network traffic |
Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49705 -> 178.237.33.50:80 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 148.113.165.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 148.113.165.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 148.113.165.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 148.113.165.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 148.113.165.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 148.113.165.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 148.113.165.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 148.113.165.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 148.113.165.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 148.113.165.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 148.113.165.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 148.113.165.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 148.113.165.11 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 148.113.165.11 |
Source: unknown |
UDP traffic detected without corresponding DNS query: 1.1.1.1 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0040455B WaitForSingleObject,SetEvent,recv, |
0_2_0040455B |
Source: global traffic |
HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache |
Source: global traffic |
DNS traffic detected: DNS query: geoplugin.net |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000003.2058703159.0000000000749000.00000004.00000020.00020000.00000000.sdmp, 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000002.4482921229.000000000075A000.00000004.00000020.00020000.00000000.sdmp, 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000002.4482921229.0000000000749000.00000004.00000020.00020000.00000000.sdmp, 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000003.2058703159.000000000075A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
String found in binary or memory: http://geoplugin.net/json.gp/C |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000003.2058703159.0000000000749000.00000004.00000020.00020000.00000000.sdmp, 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000002.4482921229.0000000000749000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gpQ |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000003.2058703159.0000000000749000.00000004.00000020.00020000.00000000.sdmp, 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000002.4482921229.0000000000749000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gpSystem32 |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000002.4482921229.000000000075A000.00000004.00000020.00020000.00000000.sdmp, 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000003.2058703159.000000000075A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gpV |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000002.4482921229.000000000075A000.00000004.00000020.00020000.00000000.sdmp, 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000003.2058703159.000000000075A000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gpll |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000 |
0_2_004099E4 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, |
0_2_004159C6 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, |
0_2_004159C6 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, |
0_2_004159C6 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, |
0_2_00409B10 |
Source: Yara match |
File source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.2027433393.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4482766709.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe PID: 4396, type: MEMORYSTR |
Source: Yara match |
File source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.2027433393.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4482766709.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4482921229.000000000070E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe PID: 4396, type: MEMORYSTR |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0041BB77 SystemParametersInfoW, |
0_2_0041BB77 |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, type: SAMPLE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, type: SAMPLE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.0.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.0.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.0.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000000.00000000.2027433393.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000000.00000002.4482766709.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe PID: 4396, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle, |
0_2_0041ACC1 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle, |
0_2_0041ACED |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress, |
0_2_004158B9 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0041D071 |
0_2_0041D071 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_004520D2 |
0_2_004520D2 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0043D098 |
0_2_0043D098 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00437150 |
0_2_00437150 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_004361AA |
0_2_004361AA |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00426254 |
0_2_00426254 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00431377 |
0_2_00431377 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0043651C |
0_2_0043651C |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0041E5DF |
0_2_0041E5DF |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0044C739 |
0_2_0044C739 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_004367C6 |
0_2_004367C6 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_004267CB |
0_2_004267CB |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0043C9DD |
0_2_0043C9DD |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00432A49 |
0_2_00432A49 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00436A8D |
0_2_00436A8D |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0043CC0C |
0_2_0043CC0C |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00436D48 |
0_2_00436D48 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00434D22 |
0_2_00434D22 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00426E73 |
0_2_00426E73 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00440E20 |
0_2_00440E20 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0043CE3B |
0_2_0043CE3B |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00412F45 |
0_2_00412F45 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00452F00 |
0_2_00452F00 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00426FAD |
0_2_00426FAD |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: String function: 00401F66 appears 50 times |
|
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: String function: 004020E7 appears 40 times |
|
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: String function: 004338A5 appears 42 times |
|
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: String function: 00433FB0 appears 55 times |
|
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, type: SAMPLE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, type: SAMPLE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, type: SAMPLE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.0.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.0.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.0.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000000.00000000.2027433393.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000000.00000002.4482766709.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe PID: 4396, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: classification engine |
Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/1@1/2 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, |
0_2_00416AB7 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, |
0_2_0040E219 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource, |
0_2_0041A63F |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, |
0_2_00419BC4 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Mutant created: \Sessions\1\BaseNamedObjects\asasasa-H4TBM8 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: XCG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: XCG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: Software\ |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: asasasa-H4TBM8 |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: Exe |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: Exe |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: asasasa-H4TBM8 |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: 0DG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: Inj |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: Inj |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: XCG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: XCG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: XCG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: BG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: BG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: BG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: @CG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: BG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: exepath |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: XCG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: @CG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: exepath |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: BG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: XCG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: licence |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: XCG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: XCG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: XCG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: XCG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: XCG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: XCG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: XCG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: `=G |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: XCG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: XCG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: dCG |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: Administrator |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: User |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: del |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: del |
0_2_0040D767 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Command line argument: del |
0_2_0040D767 |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
ReversingLabs: Detection: 73% |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 |
Jump to behavior |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, |
0_2_0041BCE3 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_004567E0 push eax; ret |
0_2_004567FE |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00455EAF push ecx; ret |
0_2_00455EC2 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00433FF6 push ecx; ret |
0_2_00434009 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW, |
0_2_00406128 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, |
0_2_00419BC4 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, |
0_2_0041BCE3 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0040E54F Sleep,ExitProcess, |
0_2_0040E54F |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, |
0_2_004198C2 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Window / User API: threadDelayed 3424 |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Window / User API: threadDelayed 6568 |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
API coverage: 9.6 % |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe TID: 5596 |
Thread sleep count: 3424 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe TID: 5596 |
Thread sleep time: -10272000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe TID: 5596 |
Thread sleep count: 6568 > 30 |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe TID: 5596 |
Thread sleep time: -19704000s >= -30000s |
Jump to behavior |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
0_2_0040B335 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, |
0_2_0041B42F |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
0_2_0040B53A |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0044D5E9 FindFirstFileExA, |
0_2_0044D5E9 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, |
0_2_004089A9 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00406AC2 FindFirstFileW,FindNextFileW, |
0_2_00406AC2 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, |
0_2_00407A8C |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW, |
0_2_00418C69 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, |
0_2_00408DA7 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, |
0_2_00406F06 |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000002.4482921229.000000000070E000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW8 |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000002.4482921229.0000000000782000.00000004.00000020.00020000.00000000.sdmp, 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000003.2058703159.0000000000782000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAWm |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000002.4482921229.0000000000782000.00000004.00000020.00020000.00000000.sdmp, 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000003.2058703159.0000000000782000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Hyper-V RAW |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_0043A65D |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress, |
0_2_0041BCE3 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00442554 mov eax, dword ptr fs:[00000030h] |
0_2_00442554 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0044E92E GetProcessHeap, |
0_2_0044E92E |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, |
0_2_00434168 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_0043A65D |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, |
0_2_00433B44 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00433CD7 SetUnhandledExceptionFilter, |
0_2_00433CD7 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe |
0_2_00410F36 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00418754 mouse_event, |
0_2_00418754 |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000002.4482921229.0000000000777000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program Manager |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000002.4482921229.0000000000777000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: Program ManagerR |
Source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000002.4482921229.0000000000782000.00000004.00000020.00020000.00000000.sdmp, 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, 00000000.00000002.4482921229.000000000076C000.00000004.00000020.00020000.00000000.sdmp |
Binary or memory string: |Program Manager| |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00433E0A cpuid |
0_2_00433E0A |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: GetLocaleInfoA, |
0_2_0040E679 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: EnumSystemLocalesW, |
0_2_004470AE |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: GetLocaleInfoW, |
0_2_004510BA |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, |
0_2_004511E3 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: GetLocaleInfoW, |
0_2_004512EA |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, |
0_2_004513B7 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: GetLocaleInfoW, |
0_2_00447597 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, |
0_2_00450A7F |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: EnumSystemLocalesW, |
0_2_00450CF7 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: EnumSystemLocalesW, |
0_2_00450D42 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: EnumSystemLocalesW, |
0_2_00450DDD |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, |
0_2_00450E6A |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_00404915 GetLocalTime,CreateEventA,CreateThread, |
0_2_00404915 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0041A7A2 GetComputerNameExW,GetUserNameW, |
0_2_0041A7A2 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: 0_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, |
0_2_0044800F |
Source: Yara match |
File source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.2027433393.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4482766709.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4482921229.000000000070E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe PID: 4396, type: MEMORYSTR |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data |
0_2_0040B21B |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ |
0_2_0040B335 |
Source: C:\Users\user\Desktop\1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe |
Code function: \key3.db |
0_2_0040B335 |
Source: Yara match |
File source: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe, type: SAMPLE |
Source: Yara match |
File source: 0.0.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 0.2.1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE |
Source: Yara match |
File source: 00000000.00000000.2027433393.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4482766709.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY |
Source: Yara match |
File source: 00000000.00000002.4482921229.000000000070E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY |
Source: Yara match |
File source: Process Memory Space: 1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exe PID: 4396, type: MEMORYSTR |