Windows Analysis Report
uIarPolvHR.exe

Overview

General Information

Sample name: uIarPolvHR.exe
renamed because original name is a hash value
Original sample name: f3c6c680b66ef4a132e3a9b61b83622d.exe
Analysis ID: 1570859
MD5: f3c6c680b66ef4a132e3a9b61b83622d
SHA1: c720cc4ff63d365458e9be977ed692263108dc87
SHA256: e51f50b3f520e3de0f0916e0291ad093aa0c50f6c81010001ce5aa2aee88f7b0
Tags: exeuser-abuse_ch
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Found malware configuration
Source: 00000002.00000002.3878719298.00000000018D9000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": ["192.210.150.26:8787:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R1T905", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe ReversingLabs: Detection: 60%
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Virustotal: Detection: 70% Perma Link
Multi AV Scanner detection for submitted file
Source: uIarPolvHR.exe ReversingLabs: Detection: 60%
Source: uIarPolvHR.exe Virustotal: Detection: 70% Perma Link
Yara detected Remcos RAT
Source: Yara match File source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3878610708.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3878702344.0000000001803000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1573273495.000000000142C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3878719298.00000000018D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3879043095.00000000045FE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nonhazardousness.exe PID: 6052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nonhazardousness.exe PID: 2352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nonhazardousness.exe PID: 2772, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: uIarPolvHR.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 2_2_0043293A
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 5_2_0043293A
Source: nonhazardousness.exe Binary or memory string: -----BEGIN PUBLIC KEY-----

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nonhazardousness.exe PID: 6052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nonhazardousness.exe PID: 2352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nonhazardousness.exe PID: 2772, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00406764 _wcslen,CoGetObject, 2_2_00406764
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00406764 _wcslen,CoGetObject, 5_2_00406764
Uses 32bit PE files
Source: uIarPolvHR.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DE445A GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00DE445A
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DEC6D1 FindFirstFileW,FindClose, 0_2_00DEC6D1
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DEC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00DEC75C
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DEEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00DEEF95
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DEF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00DEF0F2
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DEF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00DEF3F3
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DE37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00DE37EF
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DE3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00DE3B12
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DEBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00DEBCBC
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 2_2_0040B335
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 2_2_0041B42F
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 2_2_0040B53A
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0044D5E9 FindFirstFileExA, 2_2_0044D5E9
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 2_2_004089A9
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00406AC2 FindFirstFileW,FindNextFileW, 2_2_00406AC2
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 2_2_00407A8C
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW, 2_2_00418C69
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 2_2_00408DA7
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E2445A GetFileAttributesW,FindFirstFileW,FindClose, 2_2_00E2445A
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E2C6D1 FindFirstFileW,FindClose, 2_2_00E2C6D1
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E2C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 2_2_00E2C75C
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E2EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 2_2_00E2EF95
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E2F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 2_2_00E2F0F2
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E2F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 2_2_00E2F3F3
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 2_2_00E237EF
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E23B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 2_2_00E23B12
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E2BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 2_2_00E2BCBC
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 5_2_0040B335
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 5_2_0041B42F
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 5_2_0040B53A
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0044D5E9 FindFirstFileExA, 5_2_0044D5E9
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 5_2_004089A9
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00406AC2 FindFirstFileW,FindNextFileW, 5_2_00406AC2
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 5_2_00407A8C
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW, 5_2_00418C69
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 5_2_00408DA7
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 2_2_00406F06

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49706 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49705 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49707 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49709 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49708 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49712 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49714 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49716 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49718 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49720 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49728 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49717 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49726 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49719 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49723 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49729 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49721 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49730 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49725 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49734 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49738 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49732 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49733 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49731 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49742 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49739 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49744 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49750 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49746 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49766 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49749 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49748 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49753 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49745 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49755 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49769 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49754 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49743 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49778 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49788 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49786 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49757 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49770 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49782 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49773 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49765 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49783 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49764 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49790 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49774 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49775 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49768 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49758 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49771 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49784 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49792 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49741 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49781 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49795 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49752 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49777 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49789 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49800 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49763 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49760 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49756 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49794 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49767 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49772 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49793 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49762 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49759 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49787 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49779 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49722 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49799 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49780 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49797 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49736 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49761 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49798 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49785 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49776 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49796 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49715 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49747 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49740 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49751 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49791 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49801 -> 192.210.150.26:8787
Source: Network traffic Suricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.8:49724 -> 192.210.150.26:8787
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 192.210.150.26
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.210.150.26 192.210.150.26
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DF22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 0_2_00DF22EE
Source: nonhazardousness.exe String found in binary or memory: http://geoplugin.net/json.gp
Source: nonhazardousness.exe, 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, nonhazardousness.exe, 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, nonhazardousness.exe, 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, nonhazardousness.exe, 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, nonhazardousness.exe, 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_004099E4 SetWindowsHookExA 0000000D,004099D0,00000000 2_2_004099E4
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DF4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00DF4164
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DF4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00DF4164
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 2_2_004159C6
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E34164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 2_2_00E34164
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 5_2_004159C6
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DF3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00DF3F66
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DE001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 0_2_00DE001C
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E0CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00E0CABC
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E4CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 2_2_00E4CABC
Yara detected Keylogger Generic
Source: Yara match File source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nonhazardousness.exe PID: 6052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nonhazardousness.exe PID: 2352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nonhazardousness.exe PID: 2772, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3878610708.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3878702344.0000000001803000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1573273495.000000000142C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3878719298.00000000018D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3879043095.00000000045FE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nonhazardousness.exe PID: 6052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nonhazardousness.exe PID: 2352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nonhazardousness.exe PID: 2772, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0041BB77 SystemParametersInfoW, 2_2_0041BB77
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0041BB77 SystemParametersInfoW, 5_2_0041BB77

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: Process Memory Space: nonhazardousness.exe PID: 6052, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: nonhazardousness.exe PID: 2352, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: nonhazardousness.exe PID: 2772, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: This is a third-party compiled AutoIt script. 0_2_00D83B3A
Source: uIarPolvHR.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: uIarPolvHR.exe, 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_6bd1bc04-7
Source: uIarPolvHR.exe, 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_599fa4f0-a
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: This is a third-party compiled AutoIt script. 2_2_00DC3B3A
Source: nonhazardousness.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: nonhazardousness.exe, 00000002.00000002.3878185815.0000000000E74000.00000040.00000001.01000000.00000004.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_6fef7404-f
Source: nonhazardousness.exe, 00000002.00000002.3878185815.0000000000E74000.00000040.00000001.01000000.00000004.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_5a9912f2-a
Source: nonhazardousness.exe, 00000004.00000002.1564698054.0000000000E74000.00000040.00000001.01000000.00000004.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_6c93c6d3-7
Source: nonhazardousness.exe, 00000004.00000002.1564698054.0000000000E74000.00000040.00000001.01000000.00000004.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_80eac55d-c
Source: nonhazardousness.exe, 00000005.00000002.1572875642.0000000000E74000.00000040.00000001.01000000.00000004.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_f94ec908-c
Source: nonhazardousness.exe, 00000005.00000002.1572875642.0000000000E74000.00000040.00000001.01000000.00000004.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_604dc801-3
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D83633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow, 0_2_00D83633
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E0C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W, 0_2_00E0C1AC
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E0C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W, 0_2_00E0C498
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E0C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W, 0_2_00E0C5FE
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E0C57D SendMessageW,NtdllDialogWndProc_W, 0_2_00E0C57D
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E0C8BE NtdllDialogWndProc_W, 0_2_00E0C8BE
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E0C88F NtdllDialogWndProc_W, 0_2_00E0C88F
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E0C860 NtdllDialogWndProc_W, 0_2_00E0C860
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E0C93E ClientToScreen,NtdllDialogWndProc_W, 0_2_00E0C93E
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E0C909 NtdllDialogWndProc_W, 0_2_00E0C909
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E0CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00E0CABC
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E0CA7C GetWindowLongW,NtdllDialogWndProc_W, 0_2_00E0CA7C
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D81290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient, 0_2_00D81290
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D81287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,7524C8D0,NtdllDialogWndProc_W, 0_2_00D81287
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E0D3B8 NtdllDialogWndProc_W, 0_2_00E0D3B8
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E0D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W, 0_2_00E0D43E
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D816DE GetParent,NtdllDialogWndProc_W, 0_2_00D816DE
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D816B5 NtdllDialogWndProc_W, 0_2_00D816B5
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D8167D NtdllDialogWndProc_W, 0_2_00D8167D
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E0D78C NtdllDialogWndProc_W, 0_2_00E0D78C
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D8189B NtdllDialogWndProc_W, 0_2_00D8189B
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E0BC5D NtdllDialogWndProc_W,CallWindowProcW, 0_2_00E0BC5D
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E0BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W, 0_2_00E0BF8C
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E0BF30 NtdllDialogWndProc_W, 0_2_00E0BF30
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, 2_2_0041CA9E
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle, 2_2_0041ACC1
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle, 2_2_0041ACED
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DC3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow, 2_2_00DC3633
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E4C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W, 2_2_00E4C1AC
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E4C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W, 2_2_00E4C498
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E4C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W, 2_2_00E4C5FE
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E4C57D SendMessageW,NtdllDialogWndProc_W, 2_2_00E4C57D
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E4C8BE NtdllDialogWndProc_W, 2_2_00E4C8BE
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E4C88F NtdllDialogWndProc_W, 2_2_00E4C88F
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E4C860 NtdllDialogWndProc_W, 2_2_00E4C860
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E4C93E ClientToScreen,NtdllDialogWndProc_W, 2_2_00E4C93E
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E4C909 NtdllDialogWndProc_W, 2_2_00E4C909
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E4CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 2_2_00E4CABC
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E4CA7C GetWindowLongW,NtdllDialogWndProc_W, 2_2_00E4CA7C
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DC1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient, 2_2_00DC1290
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DC1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,7524C8D0,NtdllDialogWndProc_W, 2_2_00DC1287
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E4D3B8 NtdllDialogWndProc_W, 2_2_00E4D3B8
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E4D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W, 2_2_00E4D43E
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DC16DE GetParent,NtdllDialogWndProc_W, 2_2_00DC16DE
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DC16B5 NtdllDialogWndProc_W, 2_2_00DC16B5
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DC167D NtdllDialogWndProc_W, 2_2_00DC167D
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E4D78C NtdllDialogWndProc_W, 2_2_00E4D78C
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DC189B NtdllDialogWndProc_W, 2_2_00DC189B
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E4BC5D NtdllDialogWndProc_W,CallWindowProcW, 2_2_00E4BC5D
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E4BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W, 2_2_00E4BF8C
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E4BF30 NtdllDialogWndProc_W, 2_2_00E4BF30
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0041CA9E NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, 5_2_0041CA9E
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle, 5_2_0041ACC1
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle, 5_2_0041ACED
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DEA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 0_2_00DEA1EF
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DD8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,75185590,CreateProcessAsUserW,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle, 0_2_00DD8310
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DE51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_00DE51BD
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress, 2_2_004158B9
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E251BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 2_2_00E251BD
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress, 5_2_004158B9
Detected potential crypto function
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DAD975 0_2_00DAD975
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D8FCE0 0_2_00D8FCE0
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DA21C5 0_2_00DA21C5
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DB62D2 0_2_00DB62D2
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E003DA 0_2_00E003DA
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DB242E 0_2_00DB242E
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DA25FA 0_2_00DA25FA
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D966E1 0_2_00D966E1
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D8E6A0 0_2_00D8E6A0
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DDE616 0_2_00DDE616
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DB878F 0_2_00DB878F
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DE8889 0_2_00DE8889
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DB6844 0_2_00DB6844
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E00857 0_2_00E00857
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D98808 0_2_00D98808
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DACB21 0_2_00DACB21
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DB6DB6 0_2_00DB6DB6
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D96F9E 0_2_00D96F9E
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D93030 0_2_00D93030
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DAF1D9 0_2_00DAF1D9
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DA3187 0_2_00DA3187
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D81287 0_2_00D81287
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DA1484 0_2_00DA1484
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D95520 0_2_00D95520
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DA7696 0_2_00DA7696
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D95760 0_2_00D95760
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DA1978 0_2_00DA1978
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DB9AB5 0_2_00DB9AB5
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E07DDB 0_2_00E07DDB
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DA1D90 0_2_00DA1D90
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DABDA6 0_2_00DABDA6
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D93FE0 0_2_00D93FE0
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D8DF00 0_2_00D8DF00
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_01064FB8 0_2_01064FB8
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0041D071 2_2_0041D071
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_004520D2 2_2_004520D2
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0043D098 2_2_0043D098
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00437150 2_2_00437150
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_004361AA 2_2_004361AA
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00426254 2_2_00426254
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00431377 2_2_00431377
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0043651C 2_2_0043651C
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0041E5DF 2_2_0041E5DF
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0044C739 2_2_0044C739
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_004367C6 2_2_004367C6
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_004267CB 2_2_004267CB
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0043C9DD 2_2_0043C9DD
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00432A49 2_2_00432A49
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00436A8D 2_2_00436A8D
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0043CC0C 2_2_0043CC0C
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00436D48 2_2_00436D48
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00434D22 2_2_00434D22
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00426E73 2_2_00426E73
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00440E20 2_2_00440E20
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0043CE3B 2_2_0043CE3B
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00412F45 2_2_00412F45
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00452F00 2_2_00452F00
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00426FAD 2_2_00426FAD
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DED975 2_2_00DED975
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DCFCE0 2_2_00DCFCE0
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DE21C5 2_2_00DE21C5
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DF62D2 2_2_00DF62D2
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E403DA 2_2_00E403DA
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DF242E 2_2_00DF242E
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DE25FA 2_2_00DE25FA
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DD66E1 2_2_00DD66E1
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DCE6A0 2_2_00DCE6A0
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E1E616 2_2_00E1E616
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DF878F 2_2_00DF878F
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E28889 2_2_00E28889
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DF6844 2_2_00DF6844
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E40857 2_2_00E40857
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DD8808 2_2_00DD8808
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DECB21 2_2_00DECB21
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DF6DB6 2_2_00DF6DB6
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DD6F9E 2_2_00DD6F9E
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DD3030 2_2_00DD3030
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DEF1D9 2_2_00DEF1D9
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DE3187 2_2_00DE3187
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DC1287 2_2_00DC1287
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DE1484 2_2_00DE1484
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DD5520 2_2_00DD5520
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DE7696 2_2_00DE7696
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DD5760 2_2_00DD5760
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DE1978 2_2_00DE1978
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DF9AB5 2_2_00DF9AB5
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E47DDB 2_2_00E47DDB
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DE1D90 2_2_00DE1D90
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DEBDA6 2_2_00DEBDA6
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DD3FE0 2_2_00DD3FE0
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DCDF00 2_2_00DCDF00
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_01802228 2_2_01802228
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 4_2_01041AB0 4_2_01041AB0
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0041D071 5_2_0041D071
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_004520D2 5_2_004520D2
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0043D098 5_2_0043D098
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00437150 5_2_00437150
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_004361AA 5_2_004361AA
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00426254 5_2_00426254
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00431377 5_2_00431377
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0043651C 5_2_0043651C
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0041E5DF 5_2_0041E5DF
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0044C739 5_2_0044C739
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_004367C6 5_2_004367C6
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_004267CB 5_2_004267CB
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0043C9DD 5_2_0043C9DD
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00432A49 5_2_00432A49
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00436A8D 5_2_00436A8D
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0043CC0C 5_2_0043CC0C
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00436D48 5_2_00436D48
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00434D22 5_2_00434D22
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00426E73 5_2_00426E73
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00440E20 5_2_00440E20
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0043CE3B 5_2_0043CE3B
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00412F45 5_2_00412F45
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00452F00 5_2_00452F00
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00426FAD 5_2_00426FAD
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_01454938 5_2_01454938
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: String function: 00D87DE1 appears 35 times
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: String function: 00DA0AE3 appears 70 times
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: String function: 00DA8900 appears 42 times
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: String function: 00444B14 appears 56 times
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: String function: 00404C9E appears 32 times
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: String function: 004020E7 appears 79 times
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: String function: 00DE0AE3 appears 70 times
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: String function: 00DC7DE1 appears 35 times
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: String function: 00401E8F appears 37 times
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: String function: 00401D64 appears 43 times
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: String function: 00447174 appears 36 times
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: String function: 004040BB appears 36 times
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: String function: 00401F66 appears 100 times
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: String function: 00410D8D appears 36 times
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: String function: 004338A5 appears 82 times
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: String function: 00401FAA appears 42 times
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: String function: 00403B40 appears 44 times
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: String function: 00DE8900 appears 42 times
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: String function: 00433FB0 appears 110 times
Uses 32bit PE files
Source: uIarPolvHR.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: Process Memory Space: nonhazardousness.exe PID: 6052, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: nonhazardousness.exe PID: 2352, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: nonhazardousness.exe PID: 2772, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@8/8@0/1
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DEA06A GetLastError,FormatMessageW, 0_2_00DEA06A
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DD81CB AdjustTokenPrivileges,CloseHandle, 0_2_00DD81CB
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DD87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_00DD87E1
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 2_2_00416AB7
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E181CB AdjustTokenPrivileges,CloseHandle, 2_2_00E181CB
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E187E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 2_2_00E187E1
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 5_2_00416AB7
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DEB3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_00DEB3FB
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DFEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_00DFEE0D
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DEC397 CoInitialize,CoCreateInstance,CoUninitialize, 0_2_00DEC397
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D84E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_00D84E89
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 2_2_00419BC4
Source: C:\Users\user\Desktop\uIarPolvHR.exe File created: C:\Users\user\AppData\Local\Sancerre Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-R1T905
Source: C:\Users\user\Desktop\uIarPolvHR.exe File created: C:\Users\user\AppData\Local\Temp\aut3E00.tmp Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbs"
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\uIarPolvHR.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: uIarPolvHR.exe ReversingLabs: Detection: 60%
Source: uIarPolvHR.exe Virustotal: Detection: 70%
Source: C:\Users\user\Desktop\uIarPolvHR.exe File read: C:\Users\user\Desktop\uIarPolvHR.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\uIarPolvHR.exe "C:\Users\user\Desktop\uIarPolvHR.exe"
Source: C:\Users\user\Desktop\uIarPolvHR.exe Process created: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe "C:\Users\user\Desktop\uIarPolvHR.exe"
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe "C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe"
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Process created: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe "C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe"
Source: C:\Users\user\Desktop\uIarPolvHR.exe Process created: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe "C:\Users\user\Desktop\uIarPolvHR.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe "C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Process created: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe "C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe" Jump to behavior
Source: C:\Users\user\Desktop\uIarPolvHR.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\uIarPolvHR.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\uIarPolvHR.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\uIarPolvHR.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\uIarPolvHR.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\uIarPolvHR.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\uIarPolvHR.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\uIarPolvHR.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\uIarPolvHR.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\uIarPolvHR.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\uIarPolvHR.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\uIarPolvHR.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\uIarPolvHR.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\uIarPolvHR.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\uIarPolvHR.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00ED7A50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_00ED7A50
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DA8945 push ecx; ret 0_2_00DA8958
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E0F808 push ds; ret 0_2_00E0F80A
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_004567E0 push eax; ret 2_2_004567FE
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0045B9DD push esi; ret 2_2_0045B9E6
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00463EF3 push ds; retf 2_2_00463EEC
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00455EAF push ecx; ret 2_2_00455EC2
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00433FF6 push ecx; ret 2_2_00434009
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DE8945 push ecx; ret 2_2_00DE8958
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E4F808 push ds; ret 2_2_00E4F80A
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_004567E0 push eax; ret 5_2_004567FE
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0045B9DD push esi; ret 5_2_0045B9E6
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00463EF3 push ds; retf 5_2_00463EEC
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00455EAF push ecx; ret 5_2_00455EC2
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00433FF6 push ecx; ret 5_2_00434009
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Contains functionality to download and launch executables
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00406128 ShellExecuteW,URLDownloadToFileW, 2_2_00406128
Drops PE files
Source: C:\Users\user\Desktop\uIarPolvHR.exe File created: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nonhazardousness.vbs Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 2_2_00419BC4
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00D848D7
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00E05376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00E05376
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DC48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 2_2_00DC48D7
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E45376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 2_2_00E45376
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DA3187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_00DA3187
Source: C:\Users\user\Desktop\uIarPolvHR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\uIarPolvHR.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Delayed program exit found
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0040E54F Sleep,ExitProcess, 2_2_0040E54F
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0040E54F Sleep,ExitProcess, 5_2_0040E54F
Contains functionality to enumerate running services
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 2_2_004198C2
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 5_2_004198C2
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Window / User API: threadDelayed 2416 Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Window / User API: threadDelayed 7065 Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Window / User API: foregroundWindowGot 1749 Jump to behavior
Found evasive API chain (date check)
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Source: C:\Users\user\Desktop\uIarPolvHR.exe Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\uIarPolvHR.exe API coverage: 4.4 %
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe API coverage: 6.0 %
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe API coverage: 2.0 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe TID: 1296 Thread sleep count: 212 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe TID: 1296 Thread sleep time: -106000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe TID: 1508 Thread sleep count: 2416 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe TID: 1508 Thread sleep time: -7248000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe TID: 1508 Thread sleep count: 7065 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe TID: 1508 Thread sleep time: -21195000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DE445A GetFileAttributesW,FindFirstFileW,FindClose, 0_2_00DE445A
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DEC6D1 FindFirstFileW,FindClose, 0_2_00DEC6D1
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DEC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_00DEC75C
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DEEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00DEEF95
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DEF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_00DEF0F2
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DEF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00DEF3F3
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DE37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00DE37EF
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DE3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00DE3B12
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DEBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_00DEBCBC
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 2_2_0040B335
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 2_2_0041B42F
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 2_2_0040B53A
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0044D5E9 FindFirstFileExA, 2_2_0044D5E9
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 2_2_004089A9
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00406AC2 FindFirstFileW,FindNextFileW, 2_2_00406AC2
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 2_2_00407A8C
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW, 2_2_00418C69
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 2_2_00408DA7
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E2445A GetFileAttributesW,FindFirstFileW,FindClose, 2_2_00E2445A
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E2C6D1 FindFirstFileW,FindClose, 2_2_00E2C6D1
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E2C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 2_2_00E2C75C
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E2EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 2_2_00E2EF95
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E2F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 2_2_00E2F0F2
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E2F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 2_2_00E2F3F3
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 2_2_00E237EF
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E23B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 2_2_00E23B12
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E2BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 2_2_00E2BCBC
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 5_2_0040B335
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 5_2_0041B42F
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 5_2_0040B53A
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0044D5E9 FindFirstFileExA, 5_2_0044D5E9
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 5_2_004089A9
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00406AC2 FindFirstFileW,FindNextFileW, 5_2_00406AC2
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 5_2_00407A8C
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW, 5_2_00418C69
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 5_2_00408DA7
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 2_2_00406F06
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00D849A0
Source: nonhazardousness.exe, 00000002.00000002.3878702344.0000000001803000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllu
Source: wscript.exe, 00000003.00000002.1554332305.000002A0AC2C6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: nonhazardousness.exe, 00000005.00000003.1563082206.0000000001529000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwareworkstation.exesE
Source: nonhazardousness.exe, 00000004.00000003.1553586996.00000000010AC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: vmwareworkstation.exe
Source: C:\Users\user\Desktop\uIarPolvHR.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\uIarPolvHR.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe API call chain: ExitProcess graph end node
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DF3F09 BlockInput, 0_2_00DF3F09
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D83B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00D83B3A
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DB5A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer, 0_2_00DB5A7C
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00ED7A50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect, 0_2_00ED7A50
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_010637C6 mov eax, dword ptr fs:[00000030h] 0_2_010637C6
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_010637D8 mov eax, dword ptr fs:[00000030h] 0_2_010637D8
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_01064E48 mov eax, dword ptr fs:[00000030h] 0_2_01064E48
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_01064EA8 mov eax, dword ptr fs:[00000030h] 0_2_01064EA8
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00442554 mov eax, dword ptr fs:[00000030h] 2_2_00442554
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_01802118 mov eax, dword ptr fs:[00000030h] 2_2_01802118
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_018020B8 mov eax, dword ptr fs:[00000030h] 2_2_018020B8
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_01800A36 mov eax, dword ptr fs:[00000030h] 2_2_01800A36
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_01800A48 mov eax, dword ptr fs:[00000030h] 2_2_01800A48
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 4_2_01041940 mov eax, dword ptr fs:[00000030h] 4_2_01041940
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 4_2_010419A0 mov eax, dword ptr fs:[00000030h] 4_2_010419A0
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 4_2_010402BE mov eax, dword ptr fs:[00000030h] 4_2_010402BE
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 4_2_010402D0 mov eax, dword ptr fs:[00000030h] 4_2_010402D0
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00442554 mov eax, dword ptr fs:[00000030h] 5_2_00442554
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_01453146 mov eax, dword ptr fs:[00000030h] 5_2_01453146
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_01453158 mov eax, dword ptr fs:[00000030h] 5_2_01453158
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_014547C8 mov eax, dword ptr fs:[00000030h] 5_2_014547C8
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_01454828 mov eax, dword ptr fs:[00000030h] 5_2_01454828
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DD80A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation, 0_2_00DD80A9
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DAA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00DAA155
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DAA124 SetUnhandledExceptionFilter, 0_2_00DAA124
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_00434168
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_0043A65D
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00433B44
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00433CD7 SetUnhandledExceptionFilter, 2_2_00433CD7
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DEA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00DEA155
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00DEA124 SetUnhandledExceptionFilter, 2_2_00DEA124
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 5_2_00434168
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_0043A65D
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00433B44
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 5_2_00433CD7 SetUnhandledExceptionFilter, 5_2_00433CD7
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 2_2_00410F36
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 5_2_00410F36
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DD87B1 LogonUserW, 0_2_00DD87B1
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D83B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_00D83B3A
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_00D848D7
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DE4C53 mouse_event, 0_2_00DE4C53
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe "C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe" Jump to behavior
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DD7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00DD7CAF
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DD874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_00DD874B
Source: uIarPolvHR.exe, 00000000.00000002.1421643506.0000000000E34000.00000040.00000001.01000000.00000003.sdmp, nonhazardousness.exe, 00000002.00000002.3878185815.0000000000E74000.00000040.00000001.01000000.00000004.sdmp, nonhazardousness.exe, 00000004.00000002.1564698054.0000000000E74000.00000040.00000001.01000000.00000004.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: nonhazardousness.exe, 00000002.00000002.3878719298.00000000018D9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: uIarPolvHR.exe, nonhazardousness.exe Binary or memory string: Shell_TrayWnd
Source: nonhazardousness.exe, 00000002.00000002.3878719298.00000000018D9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerB
Source: nonhazardousness.exe, 00000002.00000002.3878702344.0000000001803000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager05\7
Source: nonhazardousness.exe, 00000002.00000002.3878702344.0000000001803000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager05\
Source: nonhazardousness.exe, 00000002.00000002.3878702344.0000000001803000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager05\6
Source: nonhazardousness.exe, 00000002.00000002.3878719298.00000000018D9000.00000004.00000020.00020000.00000000.sdmp, nonhazardousness.exe, 00000002.00000002.3878702344.0000000001803000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: |Program Manager|
Source: nonhazardousness.exe, 00000002.00000002.3878719298.00000000018D9000.00000004.00000020.00020000.00000000.sdmp, logs.dat.2.dr Binary or memory string: [Program Manager]
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DA862B cpuid 0_2_00DA862B
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: EnumSystemLocalesW, 2_2_004470AE
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: GetLocaleInfoW, 2_2_004510BA
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 2_2_004511E3
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: GetLocaleInfoW, 2_2_004512EA
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 2_2_004513B7
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: GetLocaleInfoW, 2_2_00447597
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: GetLocaleInfoA, 2_2_0040E679
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 2_2_00450A7F
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: EnumSystemLocalesW, 2_2_00450CF7
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: EnumSystemLocalesW, 2_2_00450D42
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: EnumSystemLocalesW, 2_2_00450DDD
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 2_2_00450E6A
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: EnumSystemLocalesW, 5_2_004470AE
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: GetLocaleInfoW, 5_2_004510BA
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 5_2_004511E3
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: GetLocaleInfoW, 5_2_004512EA
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 5_2_004513B7
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: GetLocaleInfoW, 5_2_00447597
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: GetLocaleInfoA, 5_2_0040E679
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 5_2_00450A7F
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: EnumSystemLocalesW, 5_2_00450CF7
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: EnumSystemLocalesW, 5_2_00450D42
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: EnumSystemLocalesW, 5_2_00450DDD
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 5_2_00450E6A
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DB4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00DB4E87
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DC1E06 GetUserNameW, 0_2_00DC1E06
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DB3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_00DB3F3A
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00D849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_00D849A0
Source: C:\Users\user\Desktop\uIarPolvHR.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3878610708.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3878702344.0000000001803000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1573273495.000000000142C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3878719298.00000000018D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3879043095.00000000045FE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nonhazardousness.exe PID: 6052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nonhazardousness.exe PID: 2352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nonhazardousness.exe PID: 2772, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 2_2_0040B21B
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 5_2_0040B21B
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 2_2_0040B335
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: \key3.db 2_2_0040B335
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 5_2_0040B335
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: \key3.db 5_2_0040B335
OS version to string mapping found (often used in BOTs)
Source: nonhazardousness.exe Binary or memory string: WIN_81
Source: nonhazardousness.exe Binary or memory string: WIN_XP
Source: nonhazardousness.exe Binary or memory string: WIN_XPe
Source: nonhazardousness.exe Binary or memory string: WIN_VISTA
Source: nonhazardousness.exe Binary or memory string: WIN_7
Source: nonhazardousness.exe Binary or memory string: WIN_8
Source: nonhazardousness.exe, 00000005.00000002.1572875642.0000000000E74000.00000040.00000001.01000000.00000004.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-R1T905 Jump to behavior
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-R1T905 Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 4.2.nonhazardousness.exe.2f00000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.38f0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.3470000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.38f0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.3470000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.nonhazardousness.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.nonhazardousness.exe.2f00000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3878610708.00000000017DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3878085476.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3878890270.00000000038F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3878702344.0000000001803000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1573273495.000000000142C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3878719298.00000000018D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3879043095.00000000045FE000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1566559449.0000000002F00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1572582993.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1573670320.0000000003470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: nonhazardousness.exe PID: 6052, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nonhazardousness.exe PID: 2352, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: nonhazardousness.exe PID: 2772, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: cmd.exe 2_2_00405042
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: cmd.exe 5_2_00405042
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DF6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 0_2_00DF6283
Source: C:\Users\user\Desktop\uIarPolvHR.exe Code function: 0_2_00DF6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00DF6747
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E36283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 2_2_00E36283
Source: C:\Users\user\AppData\Local\Sancerre\nonhazardousness.exe Code function: 2_2_00E36747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 2_2_00E36747
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1570859 Sample: uIarPolvHR.exe Startdate: 08/12/2024 Architecture: WINDOWS Score: 100 31 Suricata IDS alerts for network traffic 2->31 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 10 other signatures 2->37 7 uIarPolvHR.exe 4 2->7         started        11 wscript.exe 1 2->11         started        process3 file4 23 C:\Users\user\...\nonhazardousness.exe, PE32 7->23 dropped 43 Binary is likely a compiled AutoIt script file 7->43 13 nonhazardousness.exe 3 5 7->13         started        45 Windows Scripting host queries suspicious COM object (likely to drop second stage) 11->45 18 nonhazardousness.exe 1 11->18         started        signatures5 process6 dnsIp7 29 192.210.150.26, 49705, 49706, 49707 AS-COLOCROSSINGUS United States 13->29 25 C:\Users\user\...\nonhazardousness.vbs, data 13->25 dropped 27 C:\ProgramData\remcos\logs.dat, data 13->27 dropped 47 Multi AV Scanner detection for dropped file 13->47 49 Contains functionality to bypass UAC (CMSTPLUA) 13->49 51 Detected Remcos RAT 13->51 55 7 other signatures 13->55 53 Binary is likely a compiled AutoIt script file 18->53 20 nonhazardousness.exe 1 18->20         started        file8 signatures9 process10 signatures11 39 Detected Remcos RAT 20->39 41 Binary is likely a compiled AutoIt script file 20->41
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.210.150.26
 unknown United States
36352 AS-COLOCROSSINGUS true