Windows Analysis Report
784069483573273747434.exe

Overview

General Information

Sample name: 784069483573273747434.exe
Analysis ID: 1649031
MD5: bb64eef8bd794e2296b2876aa7910009
SHA1: 1b21e75bf40a1a8a16ff92c245a2d83fe74ba290
SHA256: 49c04ebf5b502cf960b7808dbe53a7e28d2c9302da88c26873149d12b16b3560
Tags: exeuser-lowmal3
Infos:

Detection

Remcos
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected Remcos RAT
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to inject code into remote processes
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops VBS files to the startup folder
Installs a global keyboard hook
Joe Sandbox ML detected suspicious sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to execute programs as a different user
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
One or more processes crash
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Found malware configuration
Source: 00000014.00000002.3643159219.0000000003200000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": ["192.3.101.149:6565:1"], "Assigned name": "MARCH 26", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Remcos", "Hide file": "Disable", "Mutex": "Rmc-3SSI04", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Virustotal: Detection: 40% Perma Link
Multi AV Scanner detection for submitted file
Source: 784069483573273747434.exe ReversingLabs: Detection: 44%
Yara detected Remcos RAT
Source: Yara match File source: 16.2.sacculation.exe.3ee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.sacculation.exe.3b10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.sacculation.exe.e30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.sacculation.exe.3ee0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.sacculation.exe.3b10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.sacculation.exe.e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.1345355156.0000000003031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1345694800.0000000004D5F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3643257194.0000000003224000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1344756034.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3643159219.0000000003200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1354799938.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3644897898.0000000004F5F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1345319637.0000000003012000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3642377715.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1368983567.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1227866323.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1345237084.000000000300E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sacculation.exe PID: 7040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sacculation.exe PID: 7268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sacculation.exe PID: 7316, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7380, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 92.0%
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 4_2_004315EC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_004315EC CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 20_2_004315EC
Source: sacculation.exe, 00000003.00000002.1227866323.0000000003B10000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_df63c87f-1
Uses 32bit PE files
Source: 784069483573273747434.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: wntdll.pdbUGP source: sacculation.exe, 00000003.00000003.1224478199.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000003.00000003.1226301585.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000010.00000003.1345960387.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000010.00000003.1347601468.0000000004100000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000013.00000003.1364312318.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000013.00000003.1367488153.00000000037B0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: sacculation.exe, 00000003.00000003.1224478199.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000003.00000003.1226301585.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000010.00000003.1345960387.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000010.00000003.1347601468.0000000004100000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000013.00000003.1364312318.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000013.00000003.1367488153.00000000037B0000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0092445A GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0092445A
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0092C6D1 FindFirstFileW,FindClose, 0_2_0092C6D1
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0092C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_0092C75C
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0092EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0092EF95
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0092F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0092F0F2
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0092F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_0092F3F3
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_009237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_009237EF
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_00923B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00923B12
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0092BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_0092BCBC
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_0082445A GetFileAttributesW,FindFirstFileW,FindClose, 3_2_0082445A
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_0082C6D1 FindFirstFileW,FindClose, 3_2_0082C6D1
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_0082C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 3_2_0082C75C
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_0082EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_0082EF95
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_0082F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_0082F0F2
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_0082F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 3_2_0082F3F3
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_008237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_008237EF
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_00823B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_00823B12
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_0082BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 3_2_0082BCBC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 4_2_0041A01B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 4_2_0040B28E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 4_2_0040838E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 4_2_004087A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 4_2_00407848
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_004068CD FindFirstFileW,FindNextFileW, 4_2_004068CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0044BA59 FindFirstFileExA, 4_2_0044BA59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 4_2_0040AA71
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW, 4_2_00417AAB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 4_2_0040AC78
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 20_2_0041A01B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 20_2_0040B28E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 20_2_0040838E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 20_2_004087A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 20_2_00407848
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_004068CD FindFirstFileW,FindNextFileW, 20_2_004068CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0044BA59 FindFirstFileExA, 20_2_0044BA59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 20_2_0040AA71
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW, 20_2_00417AAB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 20_2_0040AC78
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_0040AE51 FindFirstFileW,FindNextFileW, 25_2_0040AE51
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 4_2_00406D28

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49762 -> 192.3.101.149:6565
Source: Network traffic Suricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49764 -> 192.3.101.149:6565
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 192.3.101.149 6565 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 192.3.101.149
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 192.3.101.149 192.3.101.149
Source: Joe Sandbox View IP Address: 178.237.33.50 178.237.33.50
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.6:49763 -> 178.237.33.50:80
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: unknown TCP traffic detected without corresponding DNS query: 192.3.101.149
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_009322EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile, 0_2_009322EE
Source: global traffic HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
Source: svchost.exe, 00000014.00000002.3645624592.0000000006340000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000001C.00000002.3582642357.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: svchost.exe, 00000014.00000002.3645624592.0000000006340000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000001C.00000002.3582642357.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: svchost.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: svchost.exe, 00000019.00000003.3596611917.0000000003544000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.3598420458.0000000003544000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.3597724652.000000000353A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: svchost.exe, 00000019.00000003.3596611917.0000000003544000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.3598420458.0000000003544000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.3597724652.000000000353A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: svchost.exe, 00000019.00000003.3600749892.0000000003544000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: tps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: svchost.exe, 00000019.00000003.3600749892.0000000003544000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: tps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srffile://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: svchost.exe, 00000014.00000002.3645105028.0000000005680000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000019.00000002.3600995325.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: svchost.exe, 00000014.00000002.3645105028.0000000005680000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000019.00000002.3600995325.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
Source: global traffic DNS traffic detected: DNS query: geoplugin.net
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://c.pki.goog/r/gsr1.crl0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://c.pki.goog/r/r4.crl0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://c.pki.goog/we2/64OUIVzpZV4.crl0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0B
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: svchost.exe, svchost.exe, 00000014.00000002.3644571738.000000000327A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000003.3568975388.0000000003249000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3643257194.0000000003224000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp
Source: sacculation.exe, 00000003.00000002.1227866323.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.1344756034.0000000000400000.00000040.80000000.00040000.00000000.sdmp, sacculation.exe, 00000010.00000002.1354799938.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000013.00000002.1368983567.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3642377715.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://i.pki.goog/gsr1.crt0-
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://i.pki.goog/r4.crt0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://i.pki.goog/we2.crt0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://o.pki.goog/we20%
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://ocsp.digicert.com0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://ocsp.digicert.com0:
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://ocsp.digicert.com0Q
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://ocsp.msocsp.com0S
Source: Amcache.hve.7.dr String found in binary or memory: http://upx.sf.net
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv9B9.tmp.25.dr String found in binary or memory: http://www.digicert.com/CPS0~
Source: svchost.exe, 00000014.00000002.3645624592.0000000006340000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000001C.00000002.3582642357.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.ebuddy.com
Source: svchost.exe, 00000014.00000002.3645624592.0000000006340000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000001C.00000002.3582642357.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.com
Source: svchost.exe, 00000014.00000002.3645624592.0000000006340000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000001C.00000002.3582642357.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: svchost.exe, 00000014.00000002.3645624592.0000000006340000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000001C.00000002.3582642357.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.imvu.comr
Source: svchost.exe, 00000019.00000002.3601238736.00000000030B3000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net
Source: svchost.exe, 0000001C.00000002.3582642357.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb&ndcParam=QWthbWFp
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://dl.google.com/update2/installers/icons/%7B8a69d345-d564-463c-aff1-a69d9e530f96%7D.bmp?lang=e
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-LAX31r5c&
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://fp-afd.azureedge.net/apc/trans.gif?0684adfa5500b3bab63593997d26215c
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://fp-afd.azureedge.net/apc/trans.gif?79b1312614e5ac304828ba5e1fdb4fa3
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7ae939fc98ce1346dd2e496abdba2d3b
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?9f3db9405f1b2793ad8d8de9770248e4
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?4aec53910de6415b25f2c4faf3f7e54a
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?77290711a5e44a163ac2e666ad7b53fd
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: svchost.exe, 00000019.00000003.3600749892.0000000003544000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfh
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: svchost.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-06-30-24/PreSignInSettingsConfig.json?One
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-06-40-12/PreSignInSettingsConfig.json
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=14d1c105224b3e736c3c
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=7fe112
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: svchost.exe, 00000014.00000002.3645624592.0000000006340000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 0000001C.00000002.3582642357.0000000000400000.00000040.80000000.00040000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: svchost.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv9B9.tmp.25.dr String found in binary or memory: https://www.office.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00409340 SetWindowsHookExA 0000000D,0040932C,00000000 4_2_00409340
Installs a global keyboard hook
Source: C:\Windows\SysWOW64\svchost.exe Windows user hook set: 0 keyboard low level C:\Windows\SysWOW64\svchost.exe Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Windows user hook set: 0 keyboard low level C:\Windows\SysWOW64\svchost.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_00934164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00934164
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_00934164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_00934164
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_00834164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 3_2_00834164
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 4_2_00414EC1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_00414EC1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 20_2_00414EC1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalLock,memcpy,GlobalUnlock,SetClipboardData,CloseClipboard, 25_2_0040987A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalLock,ReadFile,GlobalUnlock,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard, 25_2_004098E2
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_00933F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_00933F66
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0092001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState, 0_2_0092001C
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0094CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_0094CABC
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_0084CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 3_2_0084CABC

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 16.2.sacculation.exe.3ee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.sacculation.exe.3b10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.sacculation.exe.e30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.sacculation.exe.3ee0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.sacculation.exe.3b10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.sacculation.exe.e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.1345355156.0000000003031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1345694800.0000000004D5F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3643257194.0000000003224000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1344756034.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3643159219.0000000003200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1354799938.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3644897898.0000000004F5F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1345319637.0000000003012000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3642377715.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1368983567.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1227866323.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1345237084.000000000300E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sacculation.exe PID: 7040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sacculation.exe PID: 7268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sacculation.exe PID: 7316, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7380, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0041A76C SystemParametersInfoW, 4_2_0041A76C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0041A76C SystemParametersInfoW, 20_2_0041A76C

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 16.2.sacculation.exe.3ee0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.sacculation.exe.3b10000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 16.2.sacculation.exe.3ee0000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.sacculation.exe.3b10000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.sacculation.exe.3ee0000.1.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 3.2.sacculation.exe.3b10000.1.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 19.2.sacculation.exe.e30000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 19.2.sacculation.exe.e30000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.sacculation.exe.e30000.1.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 16.2.sacculation.exe.3ee0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 16.2.sacculation.exe.3ee0000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 16.2.sacculation.exe.3ee0000.1.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 3.2.sacculation.exe.3b10000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.sacculation.exe.3b10000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.sacculation.exe.3b10000.1.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 19.2.sacculation.exe.e30000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 19.2.sacculation.exe.e30000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 19.2.sacculation.exe.e30000.1.raw.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000004.00000002.1344756034.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000004.00000002.1344756034.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000004.00000002.1344756034.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000010.00000002.1354799938.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000010.00000002.1354799938.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000010.00000002.1354799938.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000014.00000002.3642377715.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000014.00000002.3642377715.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000014.00000002.3642377715.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000013.00000002.1368983567.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000013.00000002.1368983567.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000013.00000002.1368983567.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: 00000003.00000002.1227866323.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.1227866323.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000003.00000002.1227866323.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Windows exceutables potentially bypassing UAC using eventvwr.exe Author: ditekSHen
Source: Process Memory Space: sacculation.exe PID: 7040, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7156, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: sacculation.exe PID: 7268, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: sacculation.exe PID: 7316, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7380, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Binary is likely a compiled AutoIt script file
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: This is a third-party compiled AutoIt script. 0_2_008C3B3A
Source: 784069483573273747434.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 784069483573273747434.exe, 00000000.00000002.1207247745.0000000000974000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_c6d99d34-c
Source: 784069483573273747434.exe, 00000000.00000002.1207247745.0000000000974000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_ad6a4690-2
Source: 784069483573273747434.exe, 00000000.00000003.1202991474.0000000003B13000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_bc2ccf99-a
Source: 784069483573273747434.exe, 00000000.00000003.1202991474.0000000003B13000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_baf6641b-0
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: This is a third-party compiled AutoIt script. 3_2_007C3B3A
Source: sacculation.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: sacculation.exe, 00000003.00000000.1205873476.0000000000874000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_b4f9101c-d
Source: sacculation.exe, 00000003.00000000.1205873476.0000000000874000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_697ac105-5
Source: sacculation.exe, 00000010.00000000.1334464548.0000000000874000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_99019662-1
Source: sacculation.exe, 00000010.00000000.1334464548.0000000000874000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_2dd18a3c-a
Source: sacculation.exe, 00000013.00000000.1349312500.0000000000874000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_296695d5-2
Source: sacculation.exe, 00000013.00000000.1349312500.0000000000874000.00000002.00000001.01000000.00000007.sdmp String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_69709fec-0
Source: 784069483573273747434.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_874a93c4-6
Source: 784069483573273747434.exe String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_50a4a537-f
Source: sacculation.exe.0.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_9467cf3e-8
Source: sacculation.exe.0.dr String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer` memstr_8e628414-1
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\System32\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\svchost.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0041642D GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 20_2_0041642D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 25_2_0040DD85
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_00401806 NtdllDefWindowProc_W, 25_2_00401806
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_004018C0 NtdllDefWindowProc_W, 25_2_004018C0
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0092A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle, 0_2_0092A1EF
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_00918310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_00918310
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_009251BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_009251BD
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_008251BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 3_2_008251BD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 4_2_00414DB4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_00414DB4 ExitWindowsEx,LoadLibraryA,GetProcAddress, 20_2_00414DB4
Detected potential crypto function
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008ED975 0_2_008ED975
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008E21C5 0_2_008E21C5
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008F62D2 0_2_008F62D2
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_009403DA 0_2_009403DA
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008F242E 0_2_008F242E
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008E25FA 0_2_008E25FA
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008CE6A0 0_2_008CE6A0
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008D66E1 0_2_008D66E1
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0091E616 0_2_0091E616
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008F878F 0_2_008F878F
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_00928889 0_2_00928889
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008D8808 0_2_008D8808
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_00940857 0_2_00940857
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008F6844 0_2_008F6844
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008ECB21 0_2_008ECB21
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008F6DB6 0_2_008F6DB6
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008D6F9E 0_2_008D6F9E
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008D3030 0_2_008D3030
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008E3187 0_2_008E3187
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008EF1D9 0_2_008EF1D9
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008C1287 0_2_008C1287
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008E1484 0_2_008E1484
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008D5520 0_2_008D5520
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008E7696 0_2_008E7696
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008D5760 0_2_008D5760
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008E1978 0_2_008E1978
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008F9AB5 0_2_008F9AB5
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008CFCE0 0_2_008CFCE0
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008E1D90 0_2_008E1D90
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008EBDA6 0_2_008EBDA6
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_00947DDB 0_2_00947DDB
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008D3FE0 0_2_008D3FE0
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008CDF00 0_2_008CDF00
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_01173FF0 0_2_01173FF0
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007ED975 3_2_007ED975
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007E21C5 3_2_007E21C5
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007F62D2 3_2_007F62D2
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_008403DA 3_2_008403DA
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007F242E 3_2_007F242E
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007E25FA 3_2_007E25FA
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_0081E616 3_2_0081E616
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007D66E1 3_2_007D66E1
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007CE6A0 3_2_007CE6A0
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007F878F 3_2_007F878F
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_00828889 3_2_00828889
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007F6844 3_2_007F6844
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007D8808 3_2_007D8808
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_00840857 3_2_00840857
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007ECB21 3_2_007ECB21
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007F6DB6 3_2_007F6DB6
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007D6F9E 3_2_007D6F9E
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007D3030 3_2_007D3030
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007EF1D9 3_2_007EF1D9
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007E3187 3_2_007E3187
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007C1287 3_2_007C1287
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007E1484 3_2_007E1484
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007D5520 3_2_007D5520
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007E7696 3_2_007E7696
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007D5760 3_2_007D5760
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007E1978 3_2_007E1978
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007F9AB5 3_2_007F9AB5
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007CFCE0 3_2_007CFCE0
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_00847DDB 3_2_00847DDB
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007EBDA6 3_2_007EBDA6
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007E1D90 3_2_007E1D90
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007CDF00 3_2_007CDF00
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007D3FE0 3_2_007D3FE0
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_01213868 3_2_01213868
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00425152 4_2_00425152
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00435286 4_2_00435286
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_004513D4 4_2_004513D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0045050B 4_2_0045050B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00436510 4_2_00436510
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_004316FB 4_2_004316FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0043569E 4_2_0043569E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00443700 4_2_00443700
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_004257FB 4_2_004257FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_004128E3 4_2_004128E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00425964 4_2_00425964
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0041B917 4_2_0041B917
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0043D9CC 4_2_0043D9CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00435AD3 4_2_00435AD3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00424BC3 4_2_00424BC3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0043DBFB 4_2_0043DBFB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0044ABA9 4_2_0044ABA9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00433C0B 4_2_00433C0B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00434D8A 4_2_00434D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0043DE2A 4_2_0043DE2A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0041CEAF 4_2_0041CEAF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00435F08 4_2_00435F08
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 16_2_016A2DF8 16_2_016A2DF8
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 19_2_00F34600 19_2_00F34600
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_00425152 20_2_00425152
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_00435286 20_2_00435286
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_004513D4 20_2_004513D4
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0045050B 20_2_0045050B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_00436510 20_2_00436510
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_004316FB 20_2_004316FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0043569E 20_2_0043569E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_00443700 20_2_00443700
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_004257FB 20_2_004257FB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_004128E3 20_2_004128E3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_00425964 20_2_00425964
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0041B917 20_2_0041B917
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0043D9CC 20_2_0043D9CC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_00435AD3 20_2_00435AD3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_00424BC3 20_2_00424BC3
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0043DBFB 20_2_0043DBFB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0044ABA9 20_2_0044ABA9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_00433C0B 20_2_00433C0B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_00434D8A 20_2_00434D8A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0043DE2A 20_2_0043DE2A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0041CEAF 20_2_0041CEAF
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_00435F08 20_2_00435F08
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_0044B040 25_2_0044B040
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_0043610D 25_2_0043610D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_00447310 25_2_00447310
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_0044A490 25_2_0044A490
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_0040755A 25_2_0040755A
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_0043C560 25_2_0043C560
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_0044B610 25_2_0044B610
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_0044D6C0 25_2_0044D6C0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_004476F0 25_2_004476F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_0044B870 25_2_0044B870
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_0044081D 25_2_0044081D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_00414957 25_2_00414957
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_004079EE 25_2_004079EE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_00407AEB 25_2_00407AEB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_0044AA80 25_2_0044AA80
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_00412AA9 25_2_00412AA9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_00404B74 25_2_00404B74
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_00404B03 25_2_00404B03
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_0044BBD8 25_2_0044BBD8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_00404BE5 25_2_00404BE5
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_00404C76 25_2_00404C76
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_00415CFE 25_2_00415CFE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_00416D72 25_2_00416D72
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_00446D30 25_2_00446D30
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_00446D8B 25_2_00446D8B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_00406E8F 25_2_00406E8F
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 004046D7 appears 32 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0040415E appears 56 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00402073 appears 102 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 004169A7 appears 87 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 0044DB70 appears 41 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 004165FF appears 35 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 004021F3 appears 38 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 004020BF appears 38 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00432525 appears 82 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00454C08 appears 34 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 004052DD appears 32 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00401F8B appears 34 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00401E45 appears 34 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00432B90 appears 106 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 004459F9 appears 36 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00442DE2 appears 56 times
Source: C:\Windows\SysWOW64\svchost.exe Code function: String function: 00416760 appears 69 times
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: String function: 008E0AE3 appears 70 times
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: String function: 008C7DE1 appears 35 times
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: String function: 008E8900 appears 42 times
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: String function: 007C7DE1 appears 35 times
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: String function: 007E0AE3 appears 70 times
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: String function: 007E8900 appears 42 times
One or more processes crash
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7156 -s 652
Uses 32bit PE files
Source: 784069483573273747434.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 16.2.sacculation.exe.3ee0000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.sacculation.exe.3b10000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 16.2.sacculation.exe.3ee0000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.sacculation.exe.3b10000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.sacculation.exe.3ee0000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 3.2.sacculation.exe.3b10000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 19.2.sacculation.exe.e30000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 19.2.sacculation.exe.e30000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.sacculation.exe.e30000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 16.2.sacculation.exe.3ee0000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 16.2.sacculation.exe.3ee0000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.sacculation.exe.3ee0000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 3.2.sacculation.exe.3b10000.1.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.sacculation.exe.3b10000.1.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.sacculation.exe.3b10000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 19.2.sacculation.exe.e30000.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 19.2.sacculation.exe.e30000.1.raw.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 19.2.sacculation.exe.e30000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000004.00000002.1344756034.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000004.00000002.1344756034.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000004.00000002.1344756034.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000010.00000002.1354799938.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000010.00000002.1354799938.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000002.1354799938.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000014.00000002.3642377715.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000014.00000002.3642377715.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000014.00000002.3642377715.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000013.00000002.1368983567.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000013.00000002.1368983567.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000013.00000002.1368983567.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: 00000003.00000002.1227866323.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.1227866323.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000003.00000002.1227866323.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_EventViewer author = ditekSHen, description = detects Windows exceutables potentially bypassing UAC using eventvwr.exe
Source: Process Memory Space: sacculation.exe PID: 7040, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 7156, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: sacculation.exe PID: 7268, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: sacculation.exe PID: 7316, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 7380, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@21/20@1/2
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0092A06A GetLastError,FormatMessageW, 0_2_0092A06A
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_009181CB AdjustTokenPrivileges,CloseHandle, 0_2_009181CB
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_009187E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_009187E1
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_008181CB AdjustTokenPrivileges,CloseHandle, 3_2_008181CB
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_008187E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 3_2_008187E1
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 4_2_00415C90
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_00415C90 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 20_2_00415C90
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0092B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_0092B3FB
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0093EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_0093EE0D
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0092C397 CoInitialize,CoCreateInstance,CoUninitialize, 0_2_0092C397
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008C4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_008C4E89
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 4_2_00418A00
Source: C:\Users\user\Desktop\784069483573273747434.exe File created: C:\Users\user\AppData\Local\biopsies Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7156
Source: C:\Windows\SysWOW64\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\Rmc-3SSI04
Source: C:\Users\user\Desktop\784069483573273747434.exe File created: C:\Users\user\AppData\Local\Temp\aut655A.tmp Jump to behavior
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sacculation.vbs"
Source: 784069483573273747434.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\SysWOW64\svchost.exe System information queried: HandleInformation Jump to behavior
Source: C:\Windows\System32\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\784069483573273747434.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: svchost.exe, svchost.exe, 00000019.00000002.3600995325.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: svchost.exe, svchost.exe, 00000019.00000002.3600995325.0000000000400000.00000040.80000000.00040000.00000000.sdmp, svchost.exe, 0000001A.00000002.3581670673.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: svchost.exe, 00000014.00000002.3645105028.0000000005680000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000019.00000002.3600995325.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: svchost.exe, svchost.exe, 00000019.00000002.3600995325.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: svchost.exe, svchost.exe, 00000019.00000002.3600995325.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: svchost.exe, svchost.exe, 00000019.00000002.3600995325.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: svchost.exe, 00000019.00000003.3600675389.000000000352E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000019.00000003.3600709486.0000000003530000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: svchost.exe, svchost.exe, 00000019.00000002.3600995325.0000000000400000.00000040.80000000.00040000.00000000.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: 784069483573273747434.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\Desktop\784069483573273747434.exe File read: C:\Users\user\Desktop\784069483573273747434.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\784069483573273747434.exe "C:\Users\user\Desktop\784069483573273747434.exe"
Source: C:\Users\user\Desktop\784069483573273747434.exe Process created: C:\Users\user\AppData\Local\biopsies\sacculation.exe "C:\Users\user\Desktop\784069483573273747434.exe"
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\784069483573273747434.exe"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7156 -s 652
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7156 -s 652
Source: unknown Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sacculation.vbs"
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\biopsies\sacculation.exe "C:\Users\user\AppData\Local\biopsies\sacculation.exe"
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\biopsies\sacculation.exe"
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Process created: C:\Users\user\AppData\Local\biopsies\sacculation.exe "C:\Users\user\AppData\Local\biopsies\sacculation.exe"
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\biopsies\sacculation.exe"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\oikgfvmmutkvxhnmaeoztozmbb"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\oikgfvmmutkvxhnmaeoztozmbb"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\llmsxbdzeehwncwdpiujifr"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\yywqnsalgfkklswlorjrfnupv"
Source: C:\Windows\SysWOW64\svchost.exe Process created: C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\svchost.exe /stext "C:\Users\user\AppData\Local\Temp\yywqnsalgfkklswlorjrfnupv"
Source: C:\Users\user\Desktop\784069483573273747434.exe Process created: C:\Users\user\AppData\Local\biopsies\sacculation.exe "C:\Users\user\Desktop\784069483573273747434.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\784069483573273747434.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\biopsies\sacculation.exe "C:\Users\user\AppData\Local\biopsies\sacculation.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\biopsies\sacculation.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Process created: C:\Users\user\AppData\Local\biopsies\sacculation.exe "C:\Users\user\AppData\Local\biopsies\sacculation.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\biopsies\sacculation.exe" Jump to behavior
Source: C:\Users\user\Desktop\784069483573273747434.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\784069483573273747434.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\784069483573273747434.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\784069483573273747434.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\784069483573273747434.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\784069483573273747434.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\784069483573273747434.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\784069483573273747434.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\784069483573273747434.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\784069483573273747434.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\784069483573273747434.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\784069483573273747434.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\784069483573273747434.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\784069483573273747434.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\784069483573273747434.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: pstorec.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: 784069483573273747434.exe Static file information: File size 1282560 > 1048576
Source: 784069483573273747434.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 784069483573273747434.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 784069483573273747434.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 784069483573273747434.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 784069483573273747434.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 784069483573273747434.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: 784069483573273747434.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: wntdll.pdbUGP source: sacculation.exe, 00000003.00000003.1224478199.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000003.00000003.1226301585.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000010.00000003.1345960387.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000010.00000003.1347601468.0000000004100000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000013.00000003.1364312318.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000013.00000003.1367488153.00000000037B0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: sacculation.exe, 00000003.00000003.1224478199.0000000003D30000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000003.00000003.1226301585.0000000003C10000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000010.00000003.1345960387.0000000003F60000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000010.00000003.1347601468.0000000004100000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000013.00000003.1364312318.00000000038D0000.00000004.00001000.00020000.00000000.sdmp, sacculation.exe, 00000013.00000003.1367488153.00000000037B0000.00000004.00001000.00020000.00000000.sdmp
Source: 784069483573273747434.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 784069483573273747434.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 784069483573273747434.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 784069483573273747434.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 784069483573273747434.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008C4B37 LoadLibraryA,GetProcAddress, 0_2_008C4B37
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008E8945 push ecx; ret 0_2_008E8958
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007E8945 push ecx; ret 3_2_007E8958
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_004000D8 push es; iretd 4_2_004000D9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0040008C push es; iretd 4_2_0040008D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_004542E6 push ecx; ret 4_2_004542F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0045B4FD push esi; ret 4_2_0045B506
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00432BD6 push ecx; ret 4_2_00432BE9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00454C08 push eax; ret 4_2_00454C26
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_004000D8 push es; iretd 20_2_004000D9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0040008C push es; iretd 20_2_0040008D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_004542E6 push ecx; ret 20_2_004542F9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0045B4FD push esi; ret 20_2_0045B506
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_00432BD6 push ecx; ret 20_2_00432BE9
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_00454C08 push eax; ret 20_2_00454C26
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_0044693D push ecx; ret 25_2_0044694D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_0044DB70 push eax; ret 25_2_0044DB84
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_0044DB70 push eax; ret 25_2_0044DBAC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_00451D54 push eax; ret 25_2_00451D61
Contains functionality to download and launch executables
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_004063C6 ShellExecuteW,URLDownloadToFileW, 4_2_004063C6
Drops PE files
Source: C:\Users\user\Desktop\784069483573273747434.exe File created: C:\Users\user\AppData\Local\biopsies\sacculation.exe Jump to dropped file

Boot Survival
barindex
Drops VBS files to the startup folder
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sacculation.vbs Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sacculation.vbs Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sacculation.vbs Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00418A00 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 4_2_00418A00
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008C48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_008C48D7
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_00945376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00945376
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007C48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 3_2_007C48D7
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_00845376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 3_2_00845376
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008E3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_008E3187
Source: C:\Users\user\Desktop\784069483573273747434.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\784069483573273747434.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Delayed program exit found
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0040E18D Sleep,ExitProcess, 4_2_0040E18D
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0040E18D Sleep,ExitProcess, 20_2_0040E18D
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe API/Special instruction interceptor: Address: 121348C
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe API/Special instruction interceptor: Address: 16A2A1C
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe API/Special instruction interceptor: Address: F34224
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 25_2_0040DD85
Contains functionality to enumerate running services
Source: C:\Windows\SysWOW64\svchost.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 4_2_004186FE
Source: C:\Windows\SysWOW64\svchost.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 20_2_004186FE
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\svchost.exe Window / User API: threadDelayed 3084 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Window / User API: threadDelayed 6362 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Window / User API: foregroundWindowGot 1747 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\784069483573273747434.exe API coverage: 4.4 %
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe API coverage: 4.8 %
Source: C:\Windows\SysWOW64\svchost.exe API coverage: 9.1 %
Source: C:\Windows\SysWOW64\svchost.exe API coverage: 8.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\SysWOW64\svchost.exe TID: 7412 Thread sleep count: 240 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7412 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7416 Thread sleep count: 3084 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7416 Thread sleep time: -9252000s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7416 Thread sleep count: 6362 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe TID: 7416 Thread sleep time: -19086000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0092445A GetFileAttributesW,FindFirstFileW,FindClose, 0_2_0092445A
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0092C6D1 FindFirstFileW,FindClose, 0_2_0092C6D1
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0092C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 0_2_0092C75C
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0092EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0092EF95
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0092F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_0092F0F2
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0092F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_0092F3F3
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_009237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_009237EF
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_00923B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_00923B12
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0092BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 0_2_0092BCBC
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_0082445A GetFileAttributesW,FindFirstFileW,FindClose, 3_2_0082445A
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_0082C6D1 FindFirstFileW,FindClose, 3_2_0082C6D1
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_0082C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf, 3_2_0082C75C
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_0082EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_0082EF95
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_0082F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 3_2_0082F0F2
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_0082F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose, 3_2_0082F3F3
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_008237EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_008237EF
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_00823B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 3_2_00823B12
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_0082BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose, 3_2_0082BCBC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 4_2_0041A01B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 4_2_0040B28E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 4_2_0040838E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 4_2_004087A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 4_2_00407848
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_004068CD FindFirstFileW,FindNextFileW, 4_2_004068CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0044BA59 FindFirstFileExA, 4_2_0044BA59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 4_2_0040AA71
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW, 4_2_00417AAB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 4_2_0040AC78
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0041A01B FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, 20_2_0041A01B
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0040B28E FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, 20_2_0040B28E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0040838E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, 20_2_0040838E
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_004087A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, 20_2_004087A0
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_00407848 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, 20_2_00407848
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_004068CD FindFirstFileW,FindNextFileW, 20_2_004068CD
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0044BA59 FindFirstFileExA, 20_2_0044BA59
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0040AA71 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 20_2_0040AA71
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_00417AAB FindFirstFileW,FindNextFileW,FindNextFileW, 20_2_00417AAB
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0040AC78 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 20_2_0040AC78
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_0040AE51 FindFirstFileW,FindNextFileW, 25_2_0040AE51
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00406D28 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 4_2_00406D28
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008C49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_008C49A0
Source: Amcache.hve.7.dr Binary or memory string: VMware
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin
Source: Amcache.hve.7.dr Binary or memory string: VMware, Inc.
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.7.dr Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.7.dr Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.7.dr Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: svchost.exe, 00000014.00000003.3568975388.000000000326B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3643257194.000000000326B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Amcache.hve.7.dr Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: bhv9B9.tmp.25.dr Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: svchost.exe, 00000014.00000002.3643204098.0000000003212000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: Amcache.hve.7.dr Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.7.dr Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: svchost.exe, 00000004.00000002.1345319637.0000000003012000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.7.dr Binary or memory string: vmci.sys
Source: Amcache.hve.7.dr Binary or memory string: vmci.syshbin`
Source: Amcache.hve.7.dr Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.7.dr Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.7.dr Binary or memory string: VMware20,1
Source: svchost.exe, 00000014.00000002.3644615880.000000000328A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWMSAFD L2CAP [Bluetooth]MSAFD RfComm [Bluetooth]en-USen-GBn
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.7.dr Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.7.dr Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.7.dr Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.7.dr Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.7.dr Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.7.dr Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.7.dr Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.7.dr Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.7.dr Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Windows\SysWOW64\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\svchost.exe Process information queried: ProcessInformation Jump to behavior
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Process queried: DebugPort Jump to behavior
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_00933F09 BlockInput, 0_2_00933F09
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008C3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_008C3B3A
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008F5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 0_2_008F5A7C
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\SysWOW64\svchost.exe Code function: 25_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,CloseHandle,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, 25_2_0040DD85
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008C4B37 LoadLibraryA,GetProcAddress, 0_2_008C4B37
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_01172850 mov eax, dword ptr fs:[00000030h] 0_2_01172850
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_01173E80 mov eax, dword ptr fs:[00000030h] 0_2_01173E80
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_01173EE0 mov eax, dword ptr fs:[00000030h] 0_2_01173EE0
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_012120C8 mov eax, dword ptr fs:[00000030h] 3_2_012120C8
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_01213758 mov eax, dword ptr fs:[00000030h] 3_2_01213758
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_012136F8 mov eax, dword ptr fs:[00000030h] 3_2_012136F8
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_004407B5 mov eax, dword ptr fs:[00000030h] 4_2_004407B5
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 16_2_016A2CE8 mov eax, dword ptr fs:[00000030h] 16_2_016A2CE8
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 16_2_016A1658 mov eax, dword ptr fs:[00000030h] 16_2_016A1658
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 16_2_016A2C88 mov eax, dword ptr fs:[00000030h] 16_2_016A2C88
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 19_2_00F344F0 mov eax, dword ptr fs:[00000030h] 19_2_00F344F0
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 19_2_00F32E60 mov eax, dword ptr fs:[00000030h] 19_2_00F32E60
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 19_2_00F34490 mov eax, dword ptr fs:[00000030h] 19_2_00F34490
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_004407B5 mov eax, dword ptr fs:[00000030h] 20_2_004407B5
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_009180A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation, 0_2_009180A9
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008EA124 SetUnhandledExceptionFilter, 0_2_008EA124
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008EA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_008EA155
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007EA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_007EA155
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_007EA124 SetUnhandledExceptionFilter, 3_2_007EA124
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_004327AE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_004328FC SetUnhandledExceptionFilter, 4_2_004328FC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 4_2_004398AC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 4_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 4_2_00432D5C
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_004327AE IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_004327AE
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_004328FC SetUnhandledExceptionFilter, 20_2_004328FC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_004398AC IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 20_2_004398AC
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_00432D5C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_00432D5C

HIPS / PFW / Operating System Protection Evasion
barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\svchost.exe Network Connect: 192.3.101.149 6565 Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Windows\SysWOW64\svchost.exe Code function: 20_2_0041642D GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, 20_2_0041642D
Maps a DLL or memory area into another process
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 2B29008 Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Memory written: C:\Windows\SysWOW64\svchost.exe base: 2C6A008 Jump to behavior
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 4_2_00410B5C
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe 20_2_00410B5C
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_009187B1 LogonUserW, 0_2_009187B1
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008C3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_008C3B3A
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008C48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_008C48D7
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_00924C27 mouse_event, 0_2_00924C27
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\784069483573273747434.exe" Jump to behavior
Source: C:\Windows\System32\wscript.exe Process created: C:\Users\user\AppData\Local\biopsies\sacculation.exe "C:\Users\user\AppData\Local\biopsies\sacculation.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\biopsies\sacculation.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\biopsies\sacculation.exe" Jump to behavior
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_00917CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity, 0_2_00917CAF
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_0091874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_0091874B
Source: 784069483573273747434.exe, sacculation.exe.0.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: svchost.exe, 00000004.00000002.1345319637.0000000003012000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerProgram Manager
Source: 784069483573273747434.exe, sacculation.exe Binary or memory string: Shell_TrayWnd
Source: svchost.exe, 00000014.00000002.3643257194.0000000003224000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager04\
Source: svchost.exe, 00000014.00000002.3643257194.0000000003224000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program ManagerProgram Manager04\
Source: svchost.exe, 00000004.00000002.1345319637.0000000003012000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: svchost.exe, 00000014.00000002.3643257194.0000000003224000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: C:\ProgramData\remcos8Program Manager04\
Source: svchost.exe, 00000004.00000002.1345319637.0000000003012000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000014.00000002.3643257194.0000000003224000.00000004.00000020.00020000.00000000.sdmp, logs.dat.4.dr Binary or memory string: [Program Manager]
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008E862B cpuid 0_2_008E862B
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\svchost.exe Code function: EnumSystemLocalesW, 4_2_0044F17B
Source: C:\Windows\SysWOW64\svchost.exe Code function: EnumSystemLocalesW, 4_2_0044F130
Source: C:\Windows\SysWOW64\svchost.exe Code function: EnumSystemLocalesW, 4_2_0044F216
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 4_2_0044F2A3
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoA, 4_2_0040E2BB
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW, 4_2_0044F4F3
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 4_2_0044F61C
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW, 4_2_0044F723
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 4_2_0044F7F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: EnumSystemLocalesW, 4_2_00445914
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW, 4_2_00445E1C
Source: C:\Windows\SysWOW64\svchost.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 4_2_0044EEB8
Source: C:\Windows\SysWOW64\svchost.exe Code function: EnumSystemLocalesW, 20_2_0044F17B
Source: C:\Windows\SysWOW64\svchost.exe Code function: EnumSystemLocalesW, 20_2_0044F130
Source: C:\Windows\SysWOW64\svchost.exe Code function: EnumSystemLocalesW, 20_2_0044F216
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 20_2_0044F2A3
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoA, 20_2_0040E2BB
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW, 20_2_0044F4F3
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 20_2_0044F61C
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW, 20_2_0044F723
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 20_2_0044F7F0
Source: C:\Windows\SysWOW64\svchost.exe Code function: EnumSystemLocalesW, 20_2_00445914
Source: C:\Windows\SysWOW64\svchost.exe Code function: GetLocaleInfoW, 20_2_00445E1C
Source: C:\Windows\SysWOW64\svchost.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 20_2_0044EEB8
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008F4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_008F4E87
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_00901E06 GetUserNameW, 0_2_00901E06
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008F3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 0_2_008F3F3A
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_008C49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_008C49A0
Source: C:\Users\user\Desktop\784069483573273747434.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: Amcache.hve.7.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.7.dr Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 16.2.sacculation.exe.3ee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.sacculation.exe.3b10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.sacculation.exe.e30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.sacculation.exe.3ee0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.sacculation.exe.3b10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.sacculation.exe.e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.1345355156.0000000003031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1345694800.0000000004D5F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3643257194.0000000003224000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1344756034.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3643159219.0000000003200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1354799938.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3644897898.0000000004F5F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1345319637.0000000003012000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3642377715.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1368983567.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1227866323.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1345237084.000000000300E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sacculation.exe PID: 7040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sacculation.exe PID: 7268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sacculation.exe PID: 7316, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7380, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Contains functionality to steal Chrome passwords or cookies
Source: C:\Windows\SysWOW64\svchost.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 4_2_0040A953
Source: C:\Windows\SysWOW64\svchost.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 20_2_0040A953
Contains functionality to steal Firefox passwords or cookies
Source: C:\Windows\SysWOW64\svchost.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 4_2_0040AA71
Source: C:\Windows\SysWOW64\svchost.exe Code function: \key3.db 4_2_0040AA71
Source: C:\Windows\SysWOW64\svchost.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 20_2_0040AA71
Source: C:\Windows\SysWOW64\svchost.exe Code function: \key3.db 20_2_0040AA71
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Paltalk Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail Jump to behavior
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7380, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 3948, type: MEMORYSTR
OS version to string mapping found (often used in BOTs)
Source: sacculation.exe Binary or memory string: WIN_81
Source: sacculation.exe Binary or memory string: WIN_XP
Source: sacculation.exe Binary or memory string: WIN_XPe
Source: sacculation.exe Binary or memory string: WIN_VISTA
Source: sacculation.exe Binary or memory string: WIN_7
Source: sacculation.exe Binary or memory string: WIN_8
Source: sacculation.exe.0.dr Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality
barindex
Detected Remcos RAT
Source: C:\Windows\SysWOW64\svchost.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-3SSI04 Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe Mutex created: \Sessions\1\BaseNamedObjects\Rmc-3SSI04 Jump to behavior
Yara detected Remcos RAT
Source: Yara match File source: 16.2.sacculation.exe.3ee0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.sacculation.exe.3b10000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.sacculation.exe.e30000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.sacculation.exe.3ee0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.sacculation.exe.3b10000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 19.2.sacculation.exe.e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.1345355156.0000000003031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1345694800.0000000004D5F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3643257194.0000000003224000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1344756034.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3643159219.0000000003200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1354799938.0000000003EE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3644897898.0000000004F5F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1345319637.0000000003012000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3642377715.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.1368983567.0000000000E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1227866323.0000000003B10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1345237084.000000000300E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: sacculation.exe PID: 7040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7156, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sacculation.exe PID: 7268, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: sacculation.exe PID: 7316, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: svchost.exe PID: 7380, type: MEMORYSTR
Source: Yara match File source: C:\ProgramData\remcos\logs.dat, type: DROPPED
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Windows\SysWOW64\svchost.exe Code function: cmd.exe 4_2_0040567A
Source: C:\Windows\SysWOW64\svchost.exe Code function: cmd.exe 20_2_0040567A
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_00936283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 0_2_00936283
Source: C:\Users\user\Desktop\784069483573273747434.exe Code function: 0_2_00936747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_00936747
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_00836283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket, 3_2_00836283
Source: C:\Users\user\AppData\Local\biopsies\sacculation.exe Code function: 3_2_00836747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 3_2_00836747
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1649031 Sample: 784069483573273747434.exe Startdate: 26/03/2025 Architecture: WINDOWS Score: 100 54 geoplugin.net 2->54 68 Suricata IDS alerts for network traffic 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 9 other signatures 2->74 10 784069483573273747434.exe 4 2->10         started        14 wscript.exe 1 2->14         started        signatures3 process4 file5 52 C:\Users\user\AppData\...\sacculation.exe, PE32 10->52 dropped 102 Binary is likely a compiled AutoIt script file 10->102 16 sacculation.exe 2 10->16         started        104 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->104 20 sacculation.exe 1 14->20         started        signatures6 process7 file8 48 C:\Users\user\AppData\...\sacculation.vbs, data 16->48 dropped 60 Multi AV Scanner detection for dropped file 16->60 62 Binary is likely a compiled AutoIt script file 16->62 64 Drops VBS files to the startup folder 16->64 66 3 other signatures 16->66 22 svchost.exe 2 2 16->22         started        27 sacculation.exe 1 20->27         started        29 svchost.exe 20->29         started        signatures9 process10 dnsIp11 58 192.3.101.149, 49692, 49701, 49702 AS-COLOCROSSINGUS United States 22->58 50 C:\ProgramData\remcos\logs.dat, data 22->50 dropped 88 Detected Remcos RAT 22->88 90 Contains functionalty to change the wallpaper 22->90 92 Contains functionality to steal Chrome passwords or cookies 22->92 100 5 other signatures 22->100 31 WerFault.exe 23 16 22->31         started        33 WerFault.exe 2 16 22->33         started        94 Binary is likely a compiled AutoIt script file 27->94 96 Writes to foreign memory regions 27->96 98 Maps a DLL or memory area into another process 27->98 35 svchost.exe 1 27->35         started        file12 signatures13 process14 dnsIp15 56 geoplugin.net 178.237.33.50, 49763, 80 ATOM86-ASATOM86NL Netherlands 35->56 76 System process connects to network (likely due to code injection or exploit) 35->76 78 Detected Remcos RAT 35->78 80 Installs a global keyboard hook 35->80 39 svchost.exe 1 35->39         started        42 svchost.exe 1 35->42         started        44 svchost.exe 2 35->44         started        46 2 other processes 35->46 signatures16 process17 signatures18 82 Tries to steal Instant Messenger accounts or passwords 39->82 84 Tries to harvest and steal browser information (history, passwords, etc) 39->84 86 Tries to steal Mail credentials (via file / registry access) 42->86
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.3.101.149
 unknown United States
36352 AS-COLOCROSSINGUS true
178.237.33.50
 geoplugin.net Netherlands
8455 ATOM86-ASATOM86NL false

Contacted Domains

Name IP Active
geoplugin.net 178.237.33.50 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://geoplugin.net/json.gp false
    		high