Windows Analysis Report
ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe

Overview

General Information

Sample name: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe
Analysis ID: 1650073
MD5: 6b2882f79966dcc945228aedfe49f50f
SHA1: c42021d816b505c7771eb3f3877783494154d7e4
SHA256: 3fa271144c7a9185fdb82951db8a4aa94c38e94e1dbdcbe6e00f2e18591387f5
Tags: exeuser-TeamDreier
Infos:

Detection

DBatLoader, Remcos
Score: 100
Range: 0 - 100
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected DBatLoader
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
Allocates many large memory junks
C2 URLs / IPs found in malware configuration
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Creates autostart registry keys with suspicious names
Creates multiple autostart registry keys
Drops PE files to the user root directory
Drops PE files with a suspicious file extension
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Joe Sandbox ML detected suspicious sample
Sigma detected: DLL Search Order Hijackig Via Additional Space in Path
Sigma detected: Execution from Suspicious Folder
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to launch a process as a different user
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the user directory
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Name Description Attribution Blogpost URLs Link
DBatLoader This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
Name Description Attribution Blogpost URLs Link
Remcos, RemcosRAT Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
 https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Avira: detected
Antivirus detection for dropped file
Source: C:\ProgramData\WSP\wsp.exe Avira: detection malicious, Label: HEUR/AGEN.1326052
Source: C:\Users\user\Links\Woqkdcmz.PIF Avira: detection malicious, Label: HEUR/AGEN.1326052
Found malware configuration
Source: 0000000F.00000002.1788740982.00000000007FC000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: Remcos {"Host:Port:Password": ["104.250.180.178:7902:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "wsp.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "wsp-KG6IRP", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "WSP", "Keylog folder": "remcos"}
Multi AV Scanner detection for dropped file
Source: C:\ProgramData\WSP\wsp.exe ReversingLabs: Detection: 30%
Source: C:\ProgramData\WSP\wsp.exe Virustotal: Detection: 36% Perma Link
Source: C:\Users\user\Links\Woqkdcmz.PIF Virustotal: Detection: 36% Perma Link
Source: C:\Users\user\Links\Woqkdcmz.PIF ReversingLabs: Detection: 30%
Multi AV Scanner detection for submitted file
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Virustotal: Detection: 23% Perma Link
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe ReversingLabs: Detection: 30%
Yara detected Remcos RAT
Source: Yara match File source: 0.2.ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe.21870000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.1788740982.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1401897281.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1544692180.0000000021028000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1694075061.000000000078A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1641527274.0000000021018000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1515636803.000000000082F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1610613341.000000000078C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1870174059.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1424558075.00000000218C9000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3855801503.0000000000897000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1440237535.000000007E490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe PID: 6496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wsp.exe PID: 7116, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Woqkdcmz.PIF PID: 1708, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wsp.exe PID: 2972, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wsp.exe PID: 6924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Woqkdcmz.PIF PID: 6684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wsp.exe PID: 7052, type: MEMORYSTR
Joe Sandbox ML detected suspicious sample
Source: Submited Sample Neural Call Log Analysis: 96.5%
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218A3B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 0_2_218A3B64
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FF3B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 11_2_20FF3B64
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FE3B64 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext, 13_2_20FE3B64
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000002.1440237535.000000007E490000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: -----BEGIN PUBLIC KEY----- memstr_695ef80a-4

Exploits
barindex
Yara detected UAC Bypass using CMSTP
Source: Yara match File source: 0.2.ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe.21870000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1424558075.00000000218C9000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1440237535.000000007E490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe PID: 6496, type: MEMORYSTR

Privilege Escalation
barindex
Contains functionality to bypass UAC (CMSTPLUA)
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_21876ABC _wcslen,CoGetObject, 0_2_21876ABC
Uses 32bit PE files
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: Binary string: easinvoker.pdb source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1391159742.000000007EA4F000.00000004.00001000.00020000.00000000.sdmp, ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1392356515.000000007EBF0000.00000004.00001000.00020000.00000000.sdmp, ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1392356515.000000007EC03000.00000004.00001000.00020000.00000000.sdmp, ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000002.1422439793.00000000205E4000.00000004.00001000.00020000.00000000.sdmp, Woqkdcmz.PIF, 0000000B.00000002.1542459361.000000002070F000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000008.00000003.1403149956.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000009.00000000.1410597026.00000000003F1000.00000020.00000001.01000000.00000008.sdmp, alpha.pif, 0000000A.00000000.1413570446.00000000003F1000.00000020.00000001.01000000.00000008.sdmp, alpha.pif.8.dr
Source: Binary string: easinvoker.pdbGCTL source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1391159742.000000007EA4F000.00000004.00001000.00020000.00000000.sdmp, ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1392356515.000000007EBF0000.00000004.00001000.00020000.00000000.sdmp, ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1392356515.000000007EC03000.00000004.00001000.00020000.00000000.sdmp, ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1393197868.0000000000757000.00000004.00000020.00020000.00000000.sdmp, ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000002.1422439793.00000000205E4000.00000004.00001000.00020000.00000000.sdmp, ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1393197868.000000000077F000.00000004.00000020.00020000.00000000.sdmp, Woqkdcmz.PIF, 0000000B.00000002.1542459361.000000002070F000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdb source: esentutl.exe, 00000008.00000003.1403149956.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, alpha.pif, 00000009.00000000.1410597026.00000000003F1000.00000020.00000001.01000000.00000008.sdmp, alpha.pif, 0000000A.00000000.1413570446.00000000003F1000.00000020.00000001.01000000.00000008.sdmp, alpha.pif.8.dr
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028B54D0 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_028B54D0
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218790DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 0_2_218790DC
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_2188C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 0_2_2188C7E5
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_2187B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 0_2_2187B6B5
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218BE989 FindFirstFileExA, 0_2_218BE989
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_2187B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 0_2_2187B8BA
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_21878CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 0_2_21878CDE
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_21889CEE FindFirstFileW,FindNextFileW,FindNextFileW, 0_2_21889CEE
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_21876F13 FindFirstFileW,FindNextFileW, 0_2_21876F13
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_21877EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 0_2_21877EDD
Source: C:\Users\Public\alpha.pif Code function: 9_2_00400207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 9_2_00400207
Source: C:\Users\Public\alpha.pif Code function: 9_2_0040589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 9_2_0040589A
Source: C:\Users\Public\alpha.pif Code function: 9_2_00413E66 FindFirstFileW,FindNextFileW,FindClose, 9_2_00413E66
Source: C:\Users\Public\alpha.pif Code function: 9_2_00404EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 9_2_00404EC1
Source: C:\Users\Public\alpha.pif Code function: 9_2_003F532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 9_2_003F532E
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FC90DC FindFirstFileW,FindNextFileW,FindClose, 11_2_20FC90DC
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FD9CEE FindFirstFileW, 11_2_20FD9CEE
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FC7EDD FindFirstFileW,FindNextFileW,FindClose, 11_2_20FC7EDD
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FCB6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 11_2_20FCB6B5
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FDC7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 11_2_20FDC7E5
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FC6F13 FindFirstFileW,FindNextFileW, 11_2_20FC6F13
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_2100E989 FindFirstFileExA, 11_2_2100E989
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FFE989 FindFirstFileExA, 13_2_20FFE989
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FB90DC FindFirstFileW,FindNextFileW,FindClose, 13_2_20FB90DC
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FC9CEE FindFirstFileW, 13_2_20FC9CEE
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FB7EDD FindFirstFileW,FindNextFileW,FindClose, 13_2_20FB7EDD
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FBB6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 13_2_20FBB6B5
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FCC7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 13_2_20FCC7E5
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FB6F13 FindFirstFileW,FindNextFileW, 13_2_20FB6F13
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_21877357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 0_2_21877357

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor IPs: 104.250.180.178
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.12:49686 -> 104.250.180.178:7902
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.250.180.178 104.250.180.178
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: M247GB M247GB
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_21897321 recv, 0_2_21897321
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe String found in binary or memory: http://geoplugin.net/json.gp
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000002.1440237535.000000007E490000.00000004.00001000.00020000.00000000.sdmp, ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000002.1424558075.00000000218C9000.00000002.00001000.00020000.00000000.sdmp, Woqkdcmz.PIF, 0000000B.00000002.1544692180.000000002102D000.00000002.00001000.00020000.00000000.sdmp, wsp.exe, 0000000D.00000002.1641527274.000000002101D000.00000002.00001000.00020000.00000000.sdmp String found in binary or memory: http://geoplugin.net/json.gp/C
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1391405812.000000007E9B4000.00000004.00001000.00020000.00000000.sdmp, ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1392356515.000000007EC84000.00000004.00001000.00020000.00000000.sdmp, ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1392356515.000000007EC03000.00000004.00001000.00020000.00000000.sdmp, ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000002.1422439793.000000002067C000.00000004.00001000.00020000.00000000.sdmp, Woqkdcmz.PIF, 0000000B.00000002.1542459361.0000000020773000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.pmail.com

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_21879D1E SetWindowsHookExA 0000000D,21879D0A,00000000 0_2_21879D1E
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_2187B158 OpenClipboard,GetClipboardData,CloseClipboard, 0_2_2187B158
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_2188696E OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 0_2_2188696E
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_2187B158 OpenClipboard,GetClipboardData,CloseClipboard, 0_2_2187B158
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_21879E4A GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx, 0_2_21879E4A
Yara detected Keylogger Generic
Source: Yara match File source: 0.2.ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe.21870000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1424558075.00000000218C9000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1440237535.000000007E490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe PID: 6496, type: MEMORYSTR

E-Banking Fraud
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0.2.ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe.21870000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.1788740982.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1401897281.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1544692180.0000000021028000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1694075061.000000000078A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1641527274.0000000021018000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1515636803.000000000082F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1610613341.000000000078C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1870174059.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1424558075.00000000218C9000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3855801503.0000000000897000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1440237535.000000007E490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe PID: 6496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wsp.exe PID: 7116, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Woqkdcmz.PIF PID: 1708, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wsp.exe PID: 2972, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wsp.exe PID: 6924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Woqkdcmz.PIF PID: 6684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wsp.exe PID: 7052, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands
barindex
Contains functionalty to change the wallpaper
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_2188CF2D SystemParametersInfoW, 0_2_2188CF2D
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FDCF2D SystemParametersInfoW, 11_2_20FDCF2D
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FCCF2D SystemParametersInfoW, 13_2_20FCCF2D

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 0.2.ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe.21870000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0.2.ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe.21870000.8.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Author: unknown
Source: 0.2.ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe.21870000.8.unpack, type: UNPACKEDPE Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000000D.00000002.1641527274.000000002101D000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1424558075.00000000218C9000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000B.00000002.1544692180.000000002102D000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000000.00000002.1440237535.000000007E490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe PID: 6496, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Woqkdcmz.PIF PID: 1708, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: wsp.exe PID: 2972, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Contains functionality to call native functions
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028C3220 NtAllocateVirtualMemory, 0_2_028C3220
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028CA0C4 RtlDosPathNameToNtPathName_U,NtCreateFile,NtWriteFile,NtClose, 0_2_028CA0C4
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028CA03C RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 0_2_028CA03C
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028CA1A8 RtlDosPathNameToNtPathName_U,NtOpenFile,NtQueryInformationFile,NtReadFile,NtClose, 0_2_028CA1A8
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028C356C NtWriteVirtualMemory, 0_2_028C356C
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028C321E NtAllocateVirtualMemory, 0_2_028C321E
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028C564C GetThreadContext,SetThreadContext,NtResumeThread, 0_2_028C564C
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028C564A GetThreadContext,SetThreadContext,NtResumeThread, 0_2_028C564A
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028C9FE8 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 0_2_028C9FE8
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_2188C0A3 OpenProcess,NtResumeProcess,CloseHandle, 0_2_2188C0A3
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_2188C077 OpenProcess,NtSuspendProcess,CloseHandle, 0_2_2188C077
Source: C:\ProgramData\WSP\wsp.exe Code function: 7_2_02973220 NtAllocateVirtualMemory, 7_2_02973220
Source: C:\ProgramData\WSP\wsp.exe Code function: 7_2_0297A1A8 NtOpenFile,NtReadFile,NtClose, 7_2_0297A1A8
Source: C:\ProgramData\WSP\wsp.exe Code function: 7_2_0297356C NtWriteVirtualMemory, 7_2_0297356C
Source: C:\ProgramData\WSP\wsp.exe Code function: 7_2_0297321E NtAllocateVirtualMemory, 7_2_0297321E
Source: C:\ProgramData\WSP\wsp.exe Code function: 7_2_02973607 NtWriteVirtualMemory, 7_2_02973607
Source: C:\Users\Public\alpha.pif Code function: 9_2_00417460 EnterCriticalSection,LeaveCriticalSection,fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer, 9_2_00417460
Source: C:\Users\Public\alpha.pif Code function: 9_2_00404823 NtQueryVolumeInformationFile,GetFileInformationByHandleEx, 9_2_00404823
Source: C:\Users\Public\alpha.pif Code function: 9_2_0040643A NtOpenThreadToken,NtOpenProcessToken,NtClose, 9_2_0040643A
Source: C:\Users\Public\alpha.pif Code function: 9_2_004064CA NtQueryInformationToken, 9_2_004064CA
Source: C:\Users\Public\alpha.pif Code function: 9_2_00406500 NtQueryInformationToken,NtQueryInformationToken, 9_2_00406500
Source: C:\Users\Public\alpha.pif Code function: 9_2_0041A135 NtSetInformationFile, 9_2_0041A135
Source: C:\Users\Public\alpha.pif Code function: 9_2_0041C1FA SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memcpy,memcpy,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW, 9_2_0041C1FA
Source: C:\Users\Public\alpha.pif Code function: 9_2_003F4E3B _setjmp3,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,longjmp, 9_2_003F4E3B
Source: C:\Users\Public\alpha.pif Code function: 9_2_00404759 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,DeleteFileW,GetLastError, 9_2_00404759
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_029B3220 NtAllocateVirtualMemory, 11_2_029B3220
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_029BA1A8 NtOpenFile,NtReadFile,NtClose, 11_2_029BA1A8
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_029B356C NtWriteVirtualMemory, 11_2_029B356C
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_029B321E NtAllocateVirtualMemory, 11_2_029B321E
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_029B3607 NtWriteVirtualMemory, 11_2_029B3607
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FDC0A3 OpenProcess,NtResumeProcess,CloseHandle, 11_2_20FDC0A3
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FDC077 OpenProcess,NtSuspendProcess,CloseHandle, 11_2_20FDC077
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FDDCC8 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, 11_2_20FDDCC8
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_028B3220 NtAllocateVirtualMemory, 13_2_028B3220
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_028BA1A8 RtlDosPathNameToNtPathName_U,NtOpenFile,NtReadFile,NtClose, 13_2_028BA1A8
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_028B356C NtWriteVirtualMemory, 13_2_028B356C
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_028B32BD NtAllocateVirtualMemory, 13_2_028B32BD
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_028B321E NtAllocateVirtualMemory, 13_2_028B321E
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_028BA0C4 RtlDosPathNameToNtPathName_U,NtWriteFile,NtClose, 13_2_028BA0C4
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_028BA03C RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 13_2_028BA03C
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_028B3607 NtWriteVirtualMemory, 13_2_028B3607
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_028B564A GetThreadContext,SetThreadContext,NtResumeThread, 13_2_028B564A
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_028B564C GetThreadContext,SetThreadContext,NtResumeThread, 13_2_028B564C
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_028B9FE8 RtlInitUnicodeString,RtlDosPathNameToNtPathName_U,NtDeleteFile, 13_2_028B9FE8
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FCC0A3 OpenProcess,NtResumeProcess,CloseHandle, 13_2_20FCC0A3
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FCC077 OpenProcess,NtSuspendProcess,CloseHandle, 13_2_20FCC077
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FCDCC8 NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA, 13_2_20FCDCC8
Source: C:\ProgramData\WSP\wsp.exe Code function: 14_2_02823220 NtAllocateVirtualMemory, 14_2_02823220
Source: C:\ProgramData\WSP\wsp.exe Code function: 14_2_0282A1A8 NtOpenFile,NtReadFile,NtClose, 14_2_0282A1A8
Source: C:\ProgramData\WSP\wsp.exe Code function: 14_2_0282356C NtWriteVirtualMemory, 14_2_0282356C
Source: C:\ProgramData\WSP\wsp.exe Code function: 14_2_028232BD NtAllocateVirtualMemory, 14_2_028232BD
Source: C:\ProgramData\WSP\wsp.exe Code function: 14_2_0282321E NtAllocateVirtualMemory, 14_2_0282321E
Source: C:\ProgramData\WSP\wsp.exe Code function: 14_2_02823607 NtWriteVirtualMemory, 14_2_02823607
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 15_2_028D3220 NtAllocateVirtualMemory, 15_2_028D3220
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 15_2_028DA1A8 NtOpenFile,NtReadFile,NtClose, 15_2_028DA1A8
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 15_2_028D356C NtWriteVirtualMemory, 15_2_028D356C
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 15_2_028D32BD NtAllocateVirtualMemory, 15_2_028D32BD
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 15_2_028D321E NtAllocateVirtualMemory, 15_2_028D321E
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 15_2_028D3607 NtWriteVirtualMemory, 15_2_028D3607
Source: C:\ProgramData\WSP\wsp.exe Code function: 16_2_02813220 NtAllocateVirtualMemory, 16_2_02813220
Source: C:\ProgramData\WSP\wsp.exe Code function: 16_2_0281A1A8 NtOpenFile,NtReadFile,NtClose, 16_2_0281A1A8
Source: C:\ProgramData\WSP\wsp.exe Code function: 16_2_0281356C NtWriteVirtualMemory, 16_2_0281356C
Source: C:\ProgramData\WSP\wsp.exe Code function: 16_2_0281321E NtAllocateVirtualMemory, 16_2_0281321E
Source: C:\ProgramData\WSP\wsp.exe Code function: 16_2_02813607 NtWriteVirtualMemory, 16_2_02813607
Contains functionality to communicate with device drivers
Source: C:\Users\Public\alpha.pif Code function: 9_2_003F4C10: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPAX@Z,memset,CreateFileW,DeviceIoControl,memcpy,CloseHandle,??_V@YAXPAX@Z,memset,??_V@YAXPAX@Z,FindClose,??_V@YAXPAX@Z, 9_2_003F4C10
Contains functionality to launch a process as a different user
Source: C:\Users\Public\alpha.pif Code function: 9_2_003F9458 InitializeProcThreadAttributeList,UpdateProcThreadAttribute,memset,memset,GetStartupInfoW,lstrcmpW,CreateProcessW,CloseHandle,GetLastError,GetLastError,DeleteProcThreadAttributeList,_local_unwind4,CreateProcessAsUserW,GetLastError,CloseHandle, 9_2_003F9458
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_21886861 ExitWindowsEx,LoadLibraryA,GetProcAddress, 0_2_21886861
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FD6863 ExitWindowsEx,LoadLibraryA,GetProcAddress, 11_2_20FD6863
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FC6863 ExitWindowsEx,LoadLibraryA,GetProcAddress, 13_2_20FC6863
Creates files inside the system directory
Source: C:\Users\Public\alpha.pif File created: C:\Windows Jump to behavior
Source: C:\Users\Public\alpha.pif File created: C:\Windows \SysWOW64 Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028B20B4 0_2_028B20B4
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218B21C0 0_2_218B21C0
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218981D7 0_2_218981D7
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218AE1E0 0_2_218AE1E0
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218C412B 0_2_218C412B
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_2189809D 0_2_2189809D
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218A8380 0_2_218A8380
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218A73DA 0_2_218A73DA
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_2188E29B 0_2_2188E29B
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218A25A1 0_2_218A25A1
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218AE43D 0_2_218AE43D
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_2189747E 0_2_2189747E
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218C3472 0_2_218C3472
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218A774C 0_2_218A774C
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218979F5 0_2_218979F5
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218A79F6 0_2_218A79F6
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_2188F809 0_2_2188F809
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218BDAD9 0_2_218BDAD9
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218ADD82 0_2_218ADD82
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_21883CA0 0_2_21883CA0
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218A7CBD 0_2_218A7CBD
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218A3C73 0_2_218A3C73
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218ADFB1 0_2_218ADFB1
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218A5F52 0_2_218A5F52
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218A7F78 0_2_218A7F78
Source: C:\ProgramData\WSP\wsp.exe Code function: 7_2_029620B4 7_2_029620B4
Source: C:\Users\Public\alpha.pif Code function: 9_2_003F4C10 9_2_003F4C10
Source: C:\Users\Public\alpha.pif Code function: 9_2_00404875 9_2_00404875
Source: C:\Users\Public\alpha.pif Code function: 9_2_003F540A 9_2_003F540A
Source: C:\Users\Public\alpha.pif Code function: 9_2_003F74B1 9_2_003F74B1
Source: C:\Users\Public\alpha.pif Code function: 9_2_0041695A 9_2_0041695A
Source: C:\Users\Public\alpha.pif Code function: 9_2_003F9144 9_2_003F9144
Source: C:\Users\Public\alpha.pif Code function: 9_2_00414191 9_2_00414191
Source: C:\Users\Public\alpha.pif Code function: 9_2_003F7A34 9_2_003F7A34
Source: C:\Users\Public\alpha.pif Code function: 9_2_00413E66 9_2_00413E66
Source: C:\Users\Public\alpha.pif Code function: 9_2_003FEE03 9_2_003FEE03
Source: C:\Users\Public\alpha.pif Code function: 9_2_003FD660 9_2_003FD660
Source: C:\Users\Public\alpha.pif Code function: 9_2_003F6E57 9_2_003F6E57
Source: C:\Users\Public\alpha.pif Code function: 9_2_00404EC1 9_2_00404EC1
Source: C:\Users\Public\alpha.pif Code function: 9_2_00405A86 9_2_00405A86
Source: C:\Users\Public\alpha.pif Code function: 9_2_0041769E 9_2_0041769E
Source: C:\Users\Public\alpha.pif Code function: 9_2_00403EB3 9_2_00403EB3
Source: C:\Users\Public\alpha.pif Code function: 9_2_00400740 9_2_00400740
Source: C:\Users\Public\alpha.pif Code function: 9_2_003F6B20 9_2_003F6B20
Source: C:\Users\Public\alpha.pif Code function: 9_2_00400BF0 9_2_00400BF0
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_029A20B4 11_2_029A20B4
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FDE29B 11_2_20FDE29B
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_210021C0 11_2_210021C0
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FF79F6 11_2_20FF79F6
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FFE1E0 11_2_20FFE1E0
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FF73DA 11_2_20FF73DA
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FF8362 11_2_20FF8362
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FF7CBD 11_2_20FF7CBD
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FF3C73 11_2_20FF3C73
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FFE43D 11_2_20FFE43D
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_21013472 11_2_21013472
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FFDD82 11_2_20FFDD82
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FFDFB1 11_2_20FFDFB1
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FF7F78 11_2_20FF7F78
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FF5F52 11_2_20FF5F52
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FF774C 11_2_20FF774C
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_028A20B4 13_2_028A20B4
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FE79F6 13_2_20FE79F6
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FEE1E0 13_2_20FEE1E0
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FF21C0 13_2_20FF21C0
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FE73DA 13_2_20FE73DA
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FE835D 13_2_20FE835D
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FE7CBD 13_2_20FE7CBD
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FE3C73 13_2_20FE3C73
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FEE43D 13_2_20FEE43D
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_21003472 13_2_21003472
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FEDD82 13_2_20FEDD82
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FEDFB1 13_2_20FEDFB1
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FE7F78 13_2_20FE7F78
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FE5F52 13_2_20FE5F52
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FE774C 13_2_20FE774C
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FCE29B 13_2_20FCE29B
Source: C:\ProgramData\WSP\wsp.exe Code function: 14_2_028120B4 14_2_028120B4
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 15_2_028C20B4 15_2_028C20B4
Source: C:\ProgramData\WSP\wsp.exe Code function: 16_2_028020B4 16_2_028020B4
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\Public\alpha.pif 4D89FC34D5F0F9BABD022271C585A9477BF41E834E46B991DEAA0530FDB25E22
Found potential string decryption / allocating functions
Source: C:\ProgramData\WSP\wsp.exe Code function: String function: 02973FB4 appears 48 times
Source: C:\ProgramData\WSP\wsp.exe Code function: String function: 20FE51E0 appears 55 times
Source: C:\ProgramData\WSP\wsp.exe Code function: String function: 02804414 appears 154 times
Source: C:\ProgramData\WSP\wsp.exe Code function: String function: 02813FB4 appears 48 times
Source: C:\ProgramData\WSP\wsp.exe Code function: String function: 0281457C appears 548 times
Source: C:\ProgramData\WSP\wsp.exe Code function: String function: 028A4414 appears 154 times
Source: C:\ProgramData\WSP\wsp.exe Code function: String function: 0296457C appears 548 times
Source: C:\ProgramData\WSP\wsp.exe Code function: String function: 0280457C appears 574 times
Source: C:\ProgramData\WSP\wsp.exe Code function: String function: 02823FB4 appears 48 times
Source: C:\ProgramData\WSP\wsp.exe Code function: String function: 028B3FB4 appears 48 times
Source: C:\ProgramData\WSP\wsp.exe Code function: String function: 02814414 appears 154 times
Source: C:\ProgramData\WSP\wsp.exe Code function: String function: 02964414 appears 154 times
Source: C:\ProgramData\WSP\wsp.exe Code function: String function: 028A457C appears 574 times
Source: C:\ProgramData\WSP\wsp.exe Code function: String function: 20FB2117 appears 37 times
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: String function: 20FF51E0 appears 55 times
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: String function: 028C4414 appears 154 times
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: String function: 029A4414 appears 154 times
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: String function: 029A457C appears 548 times
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: String function: 029B3FB4 appears 48 times
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: String function: 028C457C appears 574 times
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: String function: 028D3FB4 appears 48 times
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: String function: 20FC2117 appears 37 times
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: String function: 218A4ACF appears 44 times
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: String function: 218A51E0 appears 55 times
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: String function: 028B4414 appears 246 times
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: String function: 028C4030 appears 45 times
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: String function: 028C3FB4 appears 54 times
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: String function: 028B457C appears 799 times
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: String function: 028B421C appears 66 times
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: String function: 21871F96 appears 49 times
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: String function: 028B4240 appears 31 times
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: String function: 21871EBF appears 35 times
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: String function: 21872117 appears 39 times
Sample file is different than original file name gathered from version info
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1391405812.000000007E9B4000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1391405812.000000007E9B4000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1392356515.000000007EC84000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1392356515.000000007EC84000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1392356515.000000007EC03000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1392356515.000000007EC03000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1393197868.00000000007AA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1393197868.000000000077B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000002.1422439793.000000002067C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000002.1422439793.000000002067C000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameLOADER.EXEB vs ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000002.1422439793.00000000205E4000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameeasinvoker.exej% vs ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe
Uses 32bit PE files
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Yara signature match
Source: 0.2.ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe.21870000.8.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0.2.ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe.21870000.8.unpack, type: UNPACKEDPE Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 0.2.ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe.21870000.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000000D.00000002.1641527274.000000002101D000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1424558075.00000000218C9000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000B.00000002.1544692180.000000002102D000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000000.00000002.1440237535.000000007E490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe PID: 6496, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Woqkdcmz.PIF PID: 1708, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: wsp.exe PID: 2972, type: MEMORYSTR Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: classification engine Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@24/10@0/2
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_21887AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 0_2_21887AD9
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FD7AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 11_2_20FD7AD9
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FC7AD9 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError, 13_2_20FC7AD9
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028B7B28 GetDiskFreeSpaceA, 0_2_028B7B28
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_2187C03C GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle, 0_2_2187C03C
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_2188B9AB FindResourceA,LoadResource,LockResource,SizeofResource, 0_2_2188B9AB
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_2188AD04 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 0_2_2188AD04
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe File created: C:\Users\All Users\8806.cmd Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6952:120:WilError_03
Source: C:\ProgramData\WSP\wsp.exe Mutant created: \Sessions\1\BaseNamedObjects\wsp-KG6IRP
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_03
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\ProgramData\WSP\wsp.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Virustotal: Detection: 23%
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe ReversingLabs: Detection: 30%
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe File read: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe "C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe"
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\8806.cmd""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\32172.cmd""
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Process created: C:\ProgramData\WSP\wsp.exe "C:\ProgramData\WSP\wsp.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows "
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64"
Source: unknown Process created: C:\Users\user\Links\Woqkdcmz.PIF "C:\Users\user\Links\Woqkdcmz.PIF"
Source: unknown Process created: C:\ProgramData\WSP\wsp.exe "C:\ProgramData\WSP\wsp.exe"
Source: unknown Process created: C:\ProgramData\WSP\wsp.exe "C:\ProgramData\WSP\wsp.exe"
Source: unknown Process created: C:\Users\user\Links\Woqkdcmz.PIF "C:\Users\user\Links\Woqkdcmz.PIF"
Source: unknown Process created: C:\ProgramData\WSP\wsp.exe "C:\ProgramData\WSP\wsp.exe"
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\8806.cmd"" Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\\Users\\All Users\\32172.cmd"" Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Process created: C:\ProgramData\WSP\wsp.exe "C:\ProgramData\WSP\wsp.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10 Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: url.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: archiveint.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: mssip32.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: ??????????.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: ??.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\PING.EXE Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: version.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: url.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: userenv.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: netutils.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: endpointdlp.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: archiveint.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: winmm.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: am.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: wininet.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: wldp.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: profapi.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: amsi.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: ieproxy.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: mssip32.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: smartscreenps.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: esent.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\esentutl.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: url.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: endpointdlp.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: archiveint.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Section loaded: am.dll Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Static file information: File size 1704448 > 1048576
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x115800
Source: Binary string: easinvoker.pdb source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1391159742.000000007EA4F000.00000004.00001000.00020000.00000000.sdmp, ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1392356515.000000007EBF0000.00000004.00001000.00020000.00000000.sdmp, ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1392356515.000000007EC03000.00000004.00001000.00020000.00000000.sdmp, ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000002.1422439793.00000000205E4000.00000004.00001000.00020000.00000000.sdmp, Woqkdcmz.PIF, 0000000B.00000002.1542459361.000000002070F000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdbUGP source: esentutl.exe, 00000008.00000003.1403149956.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, 00000009.00000000.1410597026.00000000003F1000.00000020.00000001.01000000.00000008.sdmp, alpha.pif, 0000000A.00000000.1413570446.00000000003F1000.00000020.00000001.01000000.00000008.sdmp, alpha.pif.8.dr
Source: Binary string: easinvoker.pdbGCTL source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1391159742.000000007EA4F000.00000004.00001000.00020000.00000000.sdmp, ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1392356515.000000007EBF0000.00000004.00001000.00020000.00000000.sdmp, ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1392356515.000000007EC03000.00000004.00001000.00020000.00000000.sdmp, ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1393197868.0000000000757000.00000004.00000020.00020000.00000000.sdmp, ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000002.1422439793.00000000205E4000.00000004.00001000.00020000.00000000.sdmp, ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000003.1393197868.000000000077F000.00000004.00000020.00020000.00000000.sdmp, Woqkdcmz.PIF, 0000000B.00000002.1542459361.000000002070F000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: cmd.pdb source: esentutl.exe, 00000008.00000003.1403149956.0000000004D60000.00000004.00001000.00020000.00000000.sdmp, alpha.pif, alpha.pif, 00000009.00000000.1410597026.00000000003F1000.00000020.00000001.01000000.00000008.sdmp, alpha.pif, 0000000A.00000000.1413570446.00000000003F1000.00000020.00000001.01000000.00000008.sdmp, alpha.pif.8.dr

Data Obfuscation
barindex
Yara detected DBatLoader
Source: Yara match File source: 0.2.ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe.234df18.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe.234df18.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe.28b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.1403021774.000000000234D000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Binary contains a suspicious time stamp
Source: alpha.pif.8.dr Static PE information: 0xF8D87E17 [Thu Apr 20 00:53:43 2102 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028C43E8 LoadLibraryA,GetProcAddress,GetProcAddress, 0_2_028C43E8
PE file contains sections with non-standard names
Source: alpha.pif.8.dr Static PE information: section name: .didat
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028D62AC push 028D6317h; ret 0_2_028D630F
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028B3210 push eax; ret 0_2_028B324C
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028C53B4 push 028C53ECh; ret 0_2_028C53E4
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028B6368 push 028B63AAh; ret 0_2_028B63A2
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028B6366 push 028B63AAh; ret 0_2_028B63A2
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028D60AC push 028D6125h; ret 0_2_028D611D
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028C30C8 push 028C3173h; ret 0_2_028C316B
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028C30C6 push 028C3173h; ret 0_2_028C316B
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028BC004 push ecx; mov dword ptr [esp], edx 0_2_028BC009
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028D61F8 push 028D6288h; ret 0_2_028D6280
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028C4118 push 028C4150h; ret 0_2_028C4148
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028D6144 push 028D61ECh; ret 0_2_028D61E4
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028BC684 push 028BC80Ah; ret 0_2_028BC802
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028BF6E0 push 028BF756h; ret 0_2_028BF74E
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028BC67F push 028BC80Ah; ret 0_2_028BC802
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028BF7EB push 028BF839h; ret 0_2_028BF831
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028BF7EC push 028BF839h; ret 0_2_028BF831
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028C749C push 028C74D4h; ret 0_2_028C74CC
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028C749B push 028C74D4h; ret 0_2_028C74CC
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028C25FC push ecx; mov dword ptr [esp], edx 0_2_028C25FE
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028CAA18 push ecx; mov dword ptr [esp], edx 0_2_028CAA1D
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028CAA7C push ecx; mov dword ptr [esp], edx 0_2_028CAA81
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028D5A78 push 028D5C5Eh; ret 0_2_028D5C56
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028C3ED4 push 028C3F16h; ret 0_2_028C3F0E
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028B5F82 push 028B5FDFh; ret 0_2_028B5FD7
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028B5F84 push 028B5FDFh; ret 0_2_028B5FD7
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028BCFCC push 028BCFF8h; ret 0_2_028BCFF0
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218C70CF push ecx; ret 0_2_218C70E2
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218A5226 push ecx; ret 0_2_218A5239
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218C7A00 push eax; ret 0_2_218C7A1E
Source: C:\ProgramData\WSP\wsp.exe Code function: 7_2_029862AC push 02986317h; ret 7_2_0298630F

Persistence and Installation Behavior
barindex
Drops PE files with a suspicious file extension
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe File created: C:\Users\user\Links\Woqkdcmz.PIF Jump to dropped file
Contains functionality to download and launch executables
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218762E2 ShellExecuteW,URLDownloadToFileW, 0_2_218762E2
Drops PE files
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe File created: C:\ProgramData\WSP\wsp.exe Jump to dropped file
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe File created: C:\Users\user\Links\Woqkdcmz.PIF Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe File created: C:\ProgramData\WSP\wsp.exe Jump to dropped file
Drops PE files to the user directory
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file

Boot Survival
barindex
Creates autostart registry keys with suspicious names
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wsp-KG6IRP Jump to behavior
Creates multiple autostart registry keys
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wsp-KG6IRP Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Woqkdcmz Jump to behavior
Drops PE files to the user root directory
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_2188AD04 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,QueryServiceStatus,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 0_2_2188AD04
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Woqkdcmz Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Woqkdcmz Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wsp-KG6IRP Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run wsp-KG6IRP Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run wsp-KG6IRP Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run wsp-KG6IRP Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028C7914 GetModuleHandleA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_028C7914
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Allocates many large memory junks
Source: C:\Users\user\Links\Woqkdcmz.PIF Memory allocated: 29A0000 memory commit 500006912 Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Memory allocated: 29A1000 memory commit 500154368 Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Memory allocated: 29C6000 memory commit 500002816 Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Memory allocated: 29C7000 memory commit 500047872 Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Memory allocated: 29D2000 memory commit 500015104 Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Memory allocated: 29D6000 memory commit 500006912 Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Memory allocated: 29D7000 memory commit 500015104 Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Memory allocated: 20FC0000 memory commit 500002816 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 28A0000 memory commit 500006912 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 28A1000 memory commit 500154368 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 28C6000 memory commit 500002816 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 28C7000 memory commit 500047872 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 28D2000 memory commit 500015104 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 28D6000 memory commit 500006912 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 28D7000 memory commit 500015104 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 20FB0000 memory commit 500002816 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2810000 memory commit 500006912 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2811000 memory commit 500154368 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2836000 memory commit 500002816 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2837000 memory commit 500047872 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2842000 memory commit 500015104 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2846000 memory commit 500006912 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2847000 memory commit 500015104 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 20FB0000 memory commit 500002816 Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Memory allocated: 28C0000 memory commit 500006912 Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Memory allocated: 28C1000 memory commit 500154368 Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Memory allocated: 28E6000 memory commit 500002816 Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Memory allocated: 28E7000 memory commit 500047872 Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Memory allocated: 28F2000 memory commit 500015104 Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Memory allocated: 28F6000 memory commit 500006912 Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Memory allocated: 28F7000 memory commit 500015104 Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Memory allocated: 20FB0000 memory commit 500002816 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2800000 memory commit 500006912
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2801000 memory commit 500154368
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2826000 memory commit 500002816
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2827000 memory commit 500047872
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2832000 memory commit 500015104
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2836000 memory commit 500006912
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2837000 memory commit 500015104
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 20FB0000 memory commit 500002816
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Memory allocated: 28B0000 memory commit 500006912 Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Memory allocated: 28B1000 memory commit 500154368 Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Memory allocated: 28D6000 memory commit 500002816 Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Memory allocated: 28D7000 memory commit 500047872 Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Memory allocated: 28E2000 memory commit 500015104 Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Memory allocated: 28E6000 memory commit 500006912 Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Memory allocated: 28E7000 memory commit 500015104 Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Memory allocated: 21870000 memory commit 500002816 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2960000 memory commit 500006912 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2961000 memory commit 500154368 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2986000 memory commit 500002816 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2987000 memory commit 500047872 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2992000 memory commit 500015104 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2996000 memory commit 500006912 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 2997000 memory commit 500015104 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Memory allocated: 20FB0000 memory commit 500002816 Jump to behavior
Uses ping.exe to sleep
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10 Jump to behavior
Contains functionality to enumerate running services
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 0_2_2188A941
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 11_2_20FDA941
Source: C:\ProgramData\WSP\wsp.exe Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle, 13_2_20FCA941
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\ProgramData\WSP\wsp.exe Window / User API: threadDelayed 5114 Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Window / User API: threadDelayed 4875 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe API coverage: 8.8 %
Source: C:\Users\Public\alpha.pif API coverage: 6.3 %
Source: C:\Users\user\Links\Woqkdcmz.PIF API coverage: 3.3 %
Source: C:\ProgramData\WSP\wsp.exe API coverage: 4.3 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\ProgramData\WSP\wsp.exe TID: 2908 Thread sleep time: -15342000s >= -30000s Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe TID: 2908 Thread sleep time: -14625000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\PING.EXE Last function: Thread delayed
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028B54D0 GetModuleHandleA,GetProcAddress,lstrcpynA,lstrcpynA,lstrcpynA,FindFirstFileA,FindClose,lstrlenA,lstrcpynA,lstrlenA,lstrcpynA, 0_2_028B54D0
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218790DC __EH_prolog,FindFirstFileW,FindNextFileW,FindClose, 0_2_218790DC
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_2188C7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 0_2_2188C7E5
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_2187B6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 0_2_2187B6B5
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218BE989 FindFirstFileExA, 0_2_218BE989
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_2187B8BA FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, 0_2_2187B8BA
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_21878CDE __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8, 0_2_21878CDE
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_21889CEE FindFirstFileW,FindNextFileW,FindNextFileW, 0_2_21889CEE
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_21876F13 FindFirstFileW,FindNextFileW, 0_2_21876F13
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_21877EDD __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8, 0_2_21877EDD
Source: C:\Users\Public\alpha.pif Code function: 9_2_00400207 FindFirstFileW,FindClose,memcpy,_wcsnicmp,_wcsicmp,memmove, 9_2_00400207
Source: C:\Users\Public\alpha.pif Code function: 9_2_0040589A FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,GetProcessHeap,HeapReAlloc,FindNextFileW,FindClose,GetLastError,FindClose, 9_2_0040589A
Source: C:\Users\Public\alpha.pif Code function: 9_2_00413E66 FindFirstFileW,FindNextFileW,FindClose, 9_2_00413E66
Source: C:\Users\Public\alpha.pif Code function: 9_2_00404EC1 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW, 9_2_00404EC1
Source: C:\Users\Public\alpha.pif Code function: 9_2_003F532E GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPAX@Z,FindNextFileW,??_V@YAXPAX@Z,SetLastError,??_V@YAXPAX@Z,GetLastError,FindClose, 9_2_003F532E
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FC90DC FindFirstFileW,FindNextFileW,FindClose, 11_2_20FC90DC
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FD9CEE FindFirstFileW, 11_2_20FD9CEE
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FC7EDD FindFirstFileW,FindNextFileW,FindClose, 11_2_20FC7EDD
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FCB6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 11_2_20FCB6B5
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FDC7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 11_2_20FDC7E5
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FC6F13 FindFirstFileW,FindNextFileW, 11_2_20FC6F13
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_2100E989 FindFirstFileExA, 11_2_2100E989
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FFE989 FindFirstFileExA, 13_2_20FFE989
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FB90DC FindFirstFileW,FindNextFileW,FindClose, 13_2_20FB90DC
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FC9CEE FindFirstFileW, 13_2_20FC9CEE
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FB7EDD FindFirstFileW,FindNextFileW,FindClose, 13_2_20FB7EDD
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FBB6B5 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, 13_2_20FBB6B5
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FCC7E5 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose, 13_2_20FCC7E5
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FB6F13 FindFirstFileW,FindNextFileW, 13_2_20FB6F13
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_21877357 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW, 0_2_21877357
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000002.1401897281.0000000000736000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000002.1401897281.0000000000736000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}lj?
Source: Woqkdcmz.PIF, 0000000F.00000002.1788740982.00000000007E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll"
Source: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe, 00000000.00000002.1401897281.0000000000720000.00000004.00000020.00020000.00000000.sdmp, wsp.exe, 00000007.00000002.3855801503.0000000000882000.00000004.00000020.00020000.00000000.sdmp, Woqkdcmz.PIF, 0000000B.00000002.1515636803.000000000080F000.00000004.00000020.00020000.00000000.sdmp, wsp.exe, 0000000D.00000002.1610613341.000000000077B000.00000004.00000020.00020000.00000000.sdmp, wsp.exe, 0000000E.00000002.1694075061.0000000000773000.00000004.00000020.00020000.00000000.sdmp, wsp.exe, 00000010.00000002.1870174059.0000000000898000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe API call chain: ExitProcess graph end node
Source: C:\ProgramData\WSP\wsp.exe API call chain: ExitProcess graph end node

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028CB014 GetModuleHandleW,GetProcAddress,CheckRemoteDebuggerPresent, 0_2_028CB014
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Links\Woqkdcmz.PIF Process queried: DebugPort Jump to behavior
Source: C:\ProgramData\WSP\wsp.exe Process queried: DebugPort
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218AB88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_218AB88D
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028C43E8 LoadLibraryA,GetProcAddress,GetProcAddress, 0_2_028C43E8
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218B38F4 mov eax, dword ptr fs:[00000030h] 0_2_218B38F4
Source: C:\Users\Public\alpha.pif Code function: 9_2_0041C1FA mov eax, dword ptr fs:[00000030h] 9_2_0041C1FA
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_210038F4 mov eax, dword ptr fs:[00000030h] 11_2_210038F4
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FF38F4 mov eax, dword ptr fs:[00000030h] 13_2_20FF38F4
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_21881999 GetNativeSystemInfo,GetProcessHeap,HeapAlloc,SetLastError,SetLastError, 0_2_21881999
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218A5398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_218A5398
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218AB88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_218AB88D
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218A4D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_218A4D6E
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218A4F01 SetUnhandledExceptionFilter, 0_2_218A4F01
Source: C:\Users\Public\alpha.pif Code function: 9_2_00406EC0 SetUnhandledExceptionFilter, 9_2_00406EC0
Source: C:\Users\Public\alpha.pif Code function: 9_2_00406B40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 9_2_00406B40
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FFB88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_20FFB88D
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FF5398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_20FF5398
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FF4D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_20FF4D6E
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: 11_2_20FF4F01 SetUnhandledExceptionFilter, 11_2_20FF4F01
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FEB88D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_20FEB88D
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FE5398 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_20FE5398
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FE4D6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_20FE4D6E
Source: C:\ProgramData\WSP\wsp.exe Code function: 13_2_20FE4F01 SetUnhandledExceptionFilter, 13_2_20FE4F01

HIPS / PFW / Operating System Protection Evasion
barindex
Drops or copies cmd.exe with a different name (likely to bypass HIPS)
Source: C:\Windows\SysWOW64\esentutl.exe File created: C:\Users\Public\alpha.pif Jump to dropped file
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218897D9 mouse_event, 0_2_218897D9
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Process created: C:\ProgramData\WSP\wsp.exe "C:\ProgramData\WSP\wsp.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\esentutl.exe C:\\Windows\\System32\\esentutl /y C:\\Windows\\System32\\cmd.exe /d C:\\Users\\Public\\alpha.pif /o Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows " Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\Public\alpha.pif C:\\Users\\Public\\alpha.pif /c mkdir "\\?\C:\Windows \SysWOW64" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\PING.EXE ping 127.0.0.1 -n 10 Jump to behavior
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218A5034 cpuid 0_2_218A5034
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_028B5694
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: GetLocaleInfoA, 0_2_028BA2A4
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: GetLocaleInfoA, 0_2_028BA2F0
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: lstrcpynA,GetThreadLocale,GetLocaleInfoA,lstrlenA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA,lstrcpynA,LoadLibraryExA, 0_2_028B57A0
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: EnumSystemLocalesW, 0_2_218C217D
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: EnumSystemLocalesW, 0_2_218C2097
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: EnumSystemLocalesW, 0_2_218C20E2
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_218C220A
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: GetLocaleInfoA, 0_2_2187F26B
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_218C2583
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: EnumSystemLocalesW, 0_2_218B844E
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: GetLocaleInfoW, 0_2_218C245A
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_218C2757
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: GetLocaleInfoW, 0_2_218C268A
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: GetLocaleInfoW, 0_2_218B8937
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 0_2_218C1E1F
Source: C:\Users\Public\alpha.pif Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale, 9_2_003F8572
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,GetDateFormatW,memmove,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,GetLastError,realloc, 9_2_003F6854
Source: C:\Users\Public\alpha.pif Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW, 9_2_003F9310
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: GetLocaleInfoA, 11_2_20FCF26B
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: GetLocaleInfoW, 11_2_21008937
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: EnumSystemLocalesW, 11_2_2101217D
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: EnumSystemLocalesW, 11_2_21012097
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: EnumSystemLocalesW, 11_2_210120E2
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 11_2_21012583
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: EnumSystemLocalesW, 11_2_2100844E
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: GetLocaleInfoW, 11_2_21012451
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: GetLocaleInfoW, 11_2_2101245A
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 11_2_21012757
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 11_2_21011E1F
Source: C:\Users\user\Links\Woqkdcmz.PIF Code function: GetLocaleInfoW, 11_2_2101268A
Source: C:\ProgramData\WSP\wsp.exe Code function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 13_2_028A5694
Source: C:\ProgramData\WSP\wsp.exe Code function: GetLocaleInfoA, 13_2_028AA2F0
Source: C:\ProgramData\WSP\wsp.exe Code function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA, 13_2_028A579F
Source: C:\ProgramData\WSP\wsp.exe Code function: EnumSystemLocalesW, 13_2_2100217D
Source: C:\ProgramData\WSP\wsp.exe Code function: EnumSystemLocalesW, 13_2_21002097
Source: C:\ProgramData\WSP\wsp.exe Code function: GetLocaleInfoW, 13_2_20FF8937
Source: C:\ProgramData\WSP\wsp.exe Code function: EnumSystemLocalesW, 13_2_210020E2
Source: C:\ProgramData\WSP\wsp.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 13_2_21002583
Source: C:\ProgramData\WSP\wsp.exe Code function: EnumSystemLocalesW, 13_2_20FF844E
Source: C:\ProgramData\WSP\wsp.exe Code function: GetLocaleInfoW, 13_2_21002451
Source: C:\ProgramData\WSP\wsp.exe Code function: GetLocaleInfoW, 13_2_2100245A
Source: C:\ProgramData\WSP\wsp.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 13_2_21002757
Source: C:\ProgramData\WSP\wsp.exe Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 13_2_21001E1F
Source: C:\ProgramData\WSP\wsp.exe Code function: GetLocaleInfoW, 13_2_2100268A
Source: C:\ProgramData\WSP\wsp.exe Code function: GetLocaleInfoA, 13_2_20FBF26B
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028B8D24 GetLocalTime, 0_2_028B8D24
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028CA964 GetUserNameA, 0_2_028CA964
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_218B91DA _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 0_2_218B91DA
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: 0_2_028BB224 GetVersionExA, 0_2_028BB224

Stealing of Sensitive Information
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0.2.ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe.21870000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.1788740982.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1401897281.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1544692180.0000000021028000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1694075061.000000000078A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1641527274.0000000021018000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1515636803.000000000082F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1610613341.000000000078C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1870174059.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1424558075.00000000218C9000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3855801503.0000000000897000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1440237535.000000007E490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe PID: 6496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wsp.exe PID: 7116, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Woqkdcmz.PIF PID: 1708, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wsp.exe PID: 2972, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wsp.exe PID: 6924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Woqkdcmz.PIF PID: 6684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wsp.exe PID: 7052, type: MEMORYSTR
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: \AppData\Local\Google\Chrome\User Data\Default\Login Data 0_2_2187B59B
Contains functionality to steal Firefox passwords or cookies
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: \AppData\Roaming\Mozilla\Firefox\Profiles\ 0_2_2187B6B5
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: \key3.db 0_2_2187B6B5

Remote Access Functionality
barindex
Yara detected Remcos RAT
Source: Yara match File source: 0.2.ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe.21870000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000F.00000002.1788740982.00000000007FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1401897281.0000000000736000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1544692180.0000000021028000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1694075061.000000000078A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1641527274.0000000021018000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.1515636803.000000000082F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.1610613341.000000000078C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.1870174059.00000000008DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1424558075.00000000218C9000.00000002.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.3855801503.0000000000897000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1440237535.000000007E490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe PID: 6496, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wsp.exe PID: 7116, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Woqkdcmz.PIF PID: 1708, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wsp.exe PID: 2972, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wsp.exe PID: 6924, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Woqkdcmz.PIF PID: 6684, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: wsp.exe PID: 7052, type: MEMORYSTR
Contains functionality to launch a control a shell (cmd.exe)
Source: C:\Users\user\Desktop\ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe Code function: cmd.exe 0_2_21875091
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1650073 Sample: ISF-docBL#MIQOKHH009171-811... Startdate: 27/03/2025 Architecture: WINDOWS Score: 100 64 Found malware configuration 2->64 66 Malicious sample detected (through community Yara rule) 2->66 68 Antivirus / Scanner detection for submitted sample 2->68 70 8 other signatures 2->70 7 ISF-docBL#MIQOKHH009171-811-25-01347-811033.scr.exe 3 11 2->7         started        11 Woqkdcmz.PIF 2->11         started        13 wsp.exe 2->13         started        15 3 other processes 2->15 process3 file4 40 C:\Users\user\Links\Woqkdcmz.PIF, PE32 7->40 dropped 42 C:\ProgramData\WSP\wsp.exe, PE32 7->42 dropped 44 C:\ProgramData\WSP\wsp.exe:Zone.Identifier, ASCII 7->44 dropped 72 Contains functionality to bypass UAC (CMSTPLUA) 7->72 74 Contains functionalty to change the wallpaper 7->74 76 Creates autostart registry keys with suspicious names 7->76 84 6 other signatures 7->84 17 cmd.exe 1 7->17         started        20 wsp.exe 4 1 7->20         started        23 cmd.exe 1 7->23         started        78 Antivirus detection for dropped file 11->78 80 Multi AV Scanner detection for dropped file 11->80 82 Allocates many large memory junks 11->82 signatures5 process6 dnsIp7 52 Uses ping.exe to sleep 17->52 54 Uses ping.exe to check the status of other devices and networks 17->54 25 esentutl.exe 2 17->25         started        29 conhost.exe 17->29         started        31 alpha.pif 2 17->31         started        33 alpha.pif 2 17->33         started        50 104.250.180.178, 7902 M247GB United States 20->50 56 Antivirus detection for dropped file 20->56 58 Multi AV Scanner detection for dropped file 20->58 60 Contains functionalty to change the wallpaper 20->60 62 Allocates many large memory junks 20->62 35 PING.EXE 1 23->35         started        38 conhost.exe 23->38         started        signatures8 process9 dnsIp10 46 C:\Users\Public\alpha.pif, PE32 25->46 dropped 86 Drops PE files to the user root directory 25->86 88 Drops PE files with a suspicious file extension 25->88 90 Drops or copies cmd.exe with a different name (likely to bypass HIPS) 25->90 48 127.0.0.1 unknown unknown 35->48 file11 signatures12
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.250.180.178
 unknown United States
9009 M247GB true

Private

IP
127.0.0.1