Windows Analysis Report
94e.exe

Overview

General Information

Sample name: 94e.exe
Analysis ID: 1579940
MD5: e64509a606fef02334a4b20d3da84ecf
SHA1: 4277ab565325593bd91dea95976942f3b636747c
SHA256: 94e4256177777422e7ca3282075bb34480c9e235a1c5f3209918abfe1f341697
Infos:

Detection

Remcos
Score: 92
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Sigma detected: Drops script at startup location
Sigma detected: Search for Antivirus process
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
AI detected suspicious sample
Drops PE files with a suspicious file extension
Installs a global keyboard hook
Sigma detected: WScript or CScript Dropper
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
PE file contains an invalid checksum
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection

barindex
Source: Yara match File source: C:\ProgramData\rmc\logs.dat, type: DROPPED
Source: Submited Sample Integrated Neural Analysis Model: Matched 87.7% probability
Source: 94e.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 94e.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\94e.exe Code function: 0_2_00406301 FindFirstFileW,FindClose, 0_2_00406301
Source: C:\Users\user\Desktop\94e.exe Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406CC7
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\159893 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\159893\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior

Networking

barindex
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49736 -> 101.99.94.64:2404
Source: global traffic TCP traffic: 192.168.2.4:49736 -> 101.99.94.64:2404
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Source: Joe Sandbox View ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49738 -> 178.237.33.50:80
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.64
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.64
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.64
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.64
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.64
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.64
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.64
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.64
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.64
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.64
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.64
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.64
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.64
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.64
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.64
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.64
Source: unknown TCP traffic detected without corresponding DNS query: 101.99.94.64
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: global traffic DNS traffic detected: DNS query: KPstIEdgjHZZFIeWPSSPTXW.KPstIEdgjHZZFIeWPSSPTXW
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: 94e.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: 94e.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
Source: 94e.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: 94e.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 94e.exe String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.dr String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.dr String found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.dr String found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.dr String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: 94e.exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 94e.exe String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: 94e.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: 94e.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 94e.exe String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: 94e.exe String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: 94e.exe String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 94e.exe String found in binary or memory: http://ocsp.digicert.com0
Source: 94e.exe String found in binary or memory: http://ocsp.digicert.com0A
Source: 94e.exe String found in binary or memory: http://ocsp.digicert.com0C
Source: 94e.exe String found in binary or memory: http://ocsp.digicert.com0I
Source: 94e.exe String found in binary or memory: http://ocsp.digicert.com0X
Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.dr String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.dr String found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.dr String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.dr String found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.dr String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: Held.com, 0000000B.00000000.1766795524.0000000000B15000.00000002.00000001.01000000.00000007.sdmp, Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com, 00000011.00000000.1885708157.0000000000925000.00000002.00000001.01000000.00000009.sdmp, SecureKey.com.11.dr, Held.com.1.dr, This.8.dr String found in binary or memory: http://www.autoitscript.com/autoit3/X
Source: 94e.exe String found in binary or memory: http://www.digicert.com/CPS0
Source: 94e.exe String found in binary or memory: http://www.teamviewer.com
Source: Held.com, 0000000B.00000003.1772928243.0000000003F6C000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com.11.dr, Held.com.1.dr, Sure.8.dr String found in binary or memory: https://www.autoitscript.com/autoit3/
Source: Sure.8.dr String found in binary or memory: https://www.globalsign.com/repository/0

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\159893\Held.com Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Code function: 0_2_004050F9 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_004050F9
Source: C:\Users\user\Desktop\94e.exe Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044D1

E-Banking Fraud

barindex
Source: Yara match File source: C:\ProgramData\rmc\logs.dat, type: DROPPED

System Summary

barindex
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Process Stats: CPU usage > 49%
Source: C:\Users\user\Desktop\94e.exe Code function: 0_2_004038AF EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,CoUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx, 0_2_004038AF
Source: C:\Users\user\Desktop\94e.exe File created: C:\Windows\UnlessMemorabilia Jump to behavior
Source: C:\Users\user\Desktop\94e.exe File created: C:\Windows\UpgradesGlenn Jump to behavior
Source: C:\Users\user\Desktop\94e.exe File created: C:\Windows\RidesRepresentations Jump to behavior
Source: C:\Users\user\Desktop\94e.exe File created: C:\Windows\ProvenForwarding Jump to behavior
Source: C:\Users\user\Desktop\94e.exe File created: C:\Windows\ResidentialTranslate Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Code function: 0_2_0040737E 0_2_0040737E
Source: C:\Users\user\Desktop\94e.exe Code function: 0_2_00406EFE 0_2_00406EFE
Source: C:\Users\user\Desktop\94e.exe Code function: 0_2_004079A2 0_2_004079A2
Source: C:\Users\user\Desktop\94e.exe Code function: 0_2_004049A8 0_2_004049A8
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com 1300262A9D6BB6FCBEFC0D299CCE194435790E70B9C7B4A651E202E90A32FD49
Source: C:\Users\user\Desktop\94e.exe Code function: String function: 004062CF appears 58 times
Source: 94e.exe Static PE information: invalid certificate
Source: 94e.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: 94e.exe Static PE information: Section: .rsrc ZLIB complexity 0.993720332278481
Source: classification engine Classification label: mal92.troj.spyw.expl.evad.winEXE@30/31@3/2
Source: C:\Users\user\Desktop\94e.exe Code function: 0_2_004044D1 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW, 0_2_004044D1
Source: C:\Users\user\Desktop\94e.exe Code function: 0_2_004024FB CoCreateInstance, 0_2_004024FB
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com File created: C:\Users\user\AppData\Local\GuardKey Solutions Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7608:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Users\user\Desktop\94e.exe File created: C:\Users\user\AppData\Local\Temp\nsr9F2F.tmp Jump to behavior
Source: 94e.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\tasklist.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Users\user\Desktop\94e.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\94e.exe File read: C:\Users\user\Desktop\94e.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\94e.exe "C:\Users\user\Desktop\94e.exe"
Source: C:\Users\user\Desktop\94e.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Modes Modes.cmd & Modes.cmd
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 159893
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Beastiality
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Patrick" Episode
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Proceedings + ..\Deviation + ..\Ds + ..\Lived + ..\Formed + ..\Twiki + ..\Shoot + ..\Retrieval + ..\Pounds + ..\Roland H
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\159893\Held.com Held.com H
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.url" & echo URL="C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.url" & exit
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.js"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com "C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com" "C:\Users\user\AppData\Local\GuardKey Solutions\a"
Source: C:\Users\user\Desktop\94e.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Modes Modes.cmd & Modes.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 159893 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Beastiality Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Patrick" Episode Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Proceedings + ..\Deviation + ..\Ds + ..\Lived + ..\Formed + ..\Twiki + ..\Shoot + ..\Retrieval + ..\Pounds + ..\Roland H Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\159893\Held.com Held.com H Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [InternetShortcut] > "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.url" & echo URL="C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.js" >> "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.url" & exit Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com "C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com" "C:\Users\user\AppData\Local\GuardKey Solutions\a" Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: cabinet.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\extrac32.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\SysWOW64\choice.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: napinsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: wshbth.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: nlaapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: Window Recorder Window detected: More than 3 window changes detected
Source: 94e.exe Static file information: File size 1820231 > 1048576
Source: 94e.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\94e.exe Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406328
Source: 94e.exe Static PE information: real checksum: 0x1bb92d should be: 0x1cb5ee

Persistence and Installation Behavior

barindex
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com File created: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\159893\Held.com Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com File created: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Local\Temp\159893\Held.com Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.url Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SecureKey.url Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com Process information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Window / User API: threadDelayed 9325 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Window / User API: foregroundWindowGot 1764 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com TID: 7356 Thread sleep time: -127500s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com TID: 7360 Thread sleep time: -351000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com TID: 7360 Thread sleep time: -27975000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com TID: 8124 Thread sleep count: 63 > 30 Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\94e.exe Code function: 0_2_00406301 FindFirstFileW,FindClose, 0_2_00406301
Source: C:\Users\user\Desktop\94e.exe Code function: 0_2_00406CC7 DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 0_2_00406CC7
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\159893 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\159893\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: Modes.0.dr Binary or memory string: HgFsConnect-
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Code function: 0_2_00406328 GetModuleHandleA,LoadLibraryA,GetProcAddress, 0_2_00406328
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\94e.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /c move Modes Modes.cmd & Modes.cmd Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /I "opssvc wrsa" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\tasklist.exe tasklist Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c md 159893 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\extrac32.exe extrac32 /Y /E Beastiality Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\findstr.exe findstr /V "Patrick" Episode Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b ..\Proceedings + ..\Deviation + ..\Ds + ..\Lived + ..\Formed + ..\Twiki + ..\Shoot + ..\Retrieval + ..\Pounds + ..\Roland H Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\159893\Held.com Held.com H Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5 Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com "C:\Users\user\AppData\Local\GuardKey Solutions\SecureKey.com" "C:\Users\user\AppData\Local\GuardKey Solutions\a" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\securekey.url" & echo url="c:\users\user\appdata\local\guardkey solutions\securekey.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\securekey.url" & exit
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Process created: C:\Windows\SysWOW64\cmd.exe cmd /k echo [internetshortcut] > "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\securekey.url" & echo url="c:\users\user\appdata\local\guardkey solutions\securekey.js" >> "c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\securekey.url" & exit Jump to behavior
Source: Held.com, 0000000B.00000000.1766725429.0000000000B03000.00000002.00000001.01000000.00000007.sdmp, Held.com, 0000000B.00000003.1772928243.0000000003F5E000.00000004.00000800.00020000.00000000.sdmp, SecureKey.com, 00000011.00000000.1885586450.0000000000913000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: logs.dat.11.dr Binary or memory string: [Program Manager]
Source: C:\Users\user\Desktop\94e.exe Code function: 0_2_00406831 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW, 0_2_00406831
Source: C:\Users\user\AppData\Local\Temp\159893\Held.com Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: C:\ProgramData\rmc\logs.dat, type: DROPPED

Remote Access Functionality

barindex
Source: Yara match File source: C:\ProgramData\rmc\logs.dat, type: DROPPED
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs