Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
3_2_0040928E |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
3_2_0041C322 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
3_2_0040C388 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
3_2_004096A0 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
3_2_00408847 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_00407877 FindFirstFileW,FindNextFileW, |
3_2_00407877 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0044E8F9 FindFirstFileExA, |
3_2_0044E8F9 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
3_2_0040BB6B |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW, |
3_2_00419B86 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
3_2_0040BD72 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
3_2_100010F1 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_10006580 FindFirstFileExA, |
3_2_10006580 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_0040AE51 FindFirstFileW,FindNextFileW, |
5_2_0040AE51 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, |
6_2_00407EF8 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 7_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, |
7_2_00407898 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: unknown |
TCP traffic detected without corresponding DNS query: 67.207.161.204 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0? |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0= |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0? |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~ |
Source: rYhL.exe, rYhL.exe, 00000003.00000002.4484224435.00000000015A3000.00000004.00000020.00020000.00000000.sdmp, rYhL.exe, 00000003.00000002.4484224435.0000000001581000.00000004.00000020.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp |
Source: rYhL.exe, 00000000.00000002.2038533702.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, rYhL.exe, 00000003.00000002.4483663867.0000000000400000.00000040.00000400.00020000.00000000.sdmp |
String found in binary or memory: http://geoplugin.net/json.gp/C |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://ocsp.digicert.com0 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://ocsp.digicert.com0: |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://ocsp.digicert.com0H |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://ocsp.digicert.com0I |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://ocsp.msocsp.com0 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://ocsp.msocsp.com0S |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://ocspx.digicert.com0E |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://www.digicert.com/CPS0 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://www.digicert.com/CPS0~ |
Source: rYhL.exe, rYhL.exe, 00000007.00000002.2090160312.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.ebuddy.com |
Source: rYhL.exe, rYhL.exe, 00000007.00000002.2090160312.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.com |
Source: rYhL.exe, 00000007.00000002.2090160312.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com |
Source: rYhL.exe, 00000007.00000002.2090160312.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.imvu.comr |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696428304750 |
Source: rYhL.exe, 00000005.00000002.2095139644.00000000014F4000.00000004.00000010.00020000.00000000.sdmp |
String found in binary or memory: http://www.nirsoft.net |
Source: rYhL.exe, 00000007.00000002.2090160312.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: http://www.nirsoft.net/ |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=P |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5a&FrontEnd=AF |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?77686a33b2eafa1538ef78c3be5a5910 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?caa2cf97cacae25a18f577703684ee65 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?0cf92be82316943650f2ee723bc6949e |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://fp-afd.azurefd.us/apc/trans.gif?94fb5ac9609bcb4cda0bf8acf1827073 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?7e9591e308dbda599df1fc08720a72a3 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?c6a2869c584d2ea23c67c44abe1ec326 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://fp.msedge.net/conf/v1/asgw/fpconfig.min.json |
Source: rYhL.exe, 00000005.00000002.2095074785.000000000116C000.00000004.00000010.00020000.00000000.sdmp |
String found in binary or memory: https://login.li |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com: |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live |
Source: rYhL.exe |
String found in binary or memory: https://login.yahoo.com/config/login |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://maps.windows.com/windows-app-web-link |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-04-14-10-35/PreSignInSettingsConfig.json |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=4954a0 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2 |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2 |
Source: rYhL.exe, rYhL.exe, 00000007.00000002.2090160312.0000000000400000.00000040.80000000.00040000.00000000.sdmp |
String found in binary or memory: https://www.google.com |
Source: rYhL.exe |
String found in binary or memory: https://www.google.com/accounts/servicelogin |
Source: bhv6B90.tmp.5.dr |
String found in binary or memory: https://www.office.com/ |
Source: 0.2.rYhL.exe.43e9970.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.rYhL.exe.43e9970.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.rYhL.exe.43e9970.2.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 3.2.rYhL.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 3.2.rYhL.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 3.2.rYhL.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 3.2.rYhL.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 3.2.rYhL.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 3.2.rYhL.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.rYhL.exe.46254b8.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.rYhL.exe.46254b8.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 0.2.rYhL.exe.46254b8.1.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.rYhL.exe.46254b8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.rYhL.exe.46254b8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 0.2.rYhL.exe.43e9970.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 0.2.rYhL.exe.43e9970.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000003.00000002.4483663867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: 00000003.00000002.4483663867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Author: unknown |
Source: 00000003.00000002.4483663867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen |
Source: 00000000.00000002.2038533702.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: rYhL.exe PID: 6196, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: Process Memory Space: rYhL.exe PID: 5884, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0041812A GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetModuleHandleA,GetProcAddress,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError, |
3_2_0041812A |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0041330D OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,CloseHandle,CloseHandle,CloseHandle, |
3_2_0041330D |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0041BBC6 OpenProcess,NtResumeProcess,CloseHandle, |
3_2_0041BBC6 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0041BB9A OpenProcess,NtSuspendProcess,CloseHandle, |
3_2_0041BB9A |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,CloseHandle,_wcsicmp,CloseHandle, |
5_2_0040DD85 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_00401806 NtdllDefWindowProc_W, |
5_2_00401806 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_004018C0 NtdllDefWindowProc_W, |
5_2_004018C0 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_004016FD NtdllDefWindowProc_A, |
6_2_004016FD |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_004017B7 NtdllDefWindowProc_A, |
6_2_004017B7 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 7_2_00402CAC NtdllDefWindowProc_A, |
7_2_00402CAC |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 7_2_00402D66 NtdllDefWindowProc_A, |
7_2_00402D66 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 0_2_075B1198 |
0_2_075B1198 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 0_2_075B1A70 |
0_2_075B1A70 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 0_2_079F23A8 |
0_2_079F23A8 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 0_2_079F4BE8 |
0_2_079F4BE8 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 0_2_079F5300 |
0_2_079F5300 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 0_2_07F76014 |
0_2_07F76014 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 0_2_092EFAC8 |
0_2_092EFAC8 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 0_2_092E0024 |
0_2_092E0024 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 0_2_092E0040 |
0_2_092E0040 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 0_2_092EF258 |
0_2_092EF258 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 0_2_092EF255 |
0_2_092EF255 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 0_2_092EF680 |
0_2_092EF680 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 0_2_092EF690 |
0_2_092EF690 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0043706A |
3_2_0043706A |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_00414005 |
3_2_00414005 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0043E11C |
3_2_0043E11C |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_004541D9 |
3_2_004541D9 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_004381E8 |
3_2_004381E8 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0041F18B |
3_2_0041F18B |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_00446270 |
3_2_00446270 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0043E34B |
3_2_0043E34B |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_004533AB |
3_2_004533AB |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0042742E |
3_2_0042742E |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_00437566 |
3_2_00437566 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0043E5A8 |
3_2_0043E5A8 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_004387F0 |
3_2_004387F0 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0043797E |
3_2_0043797E |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_004339D7 |
3_2_004339D7 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0044DA49 |
3_2_0044DA49 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_00427AD7 |
3_2_00427AD7 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0041DBF3 |
3_2_0041DBF3 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_00427C40 |
3_2_00427C40 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_00437DB3 |
3_2_00437DB3 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_00435EEB |
3_2_00435EEB |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0043DEED |
3_2_0043DEED |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_00426E9F |
3_2_00426E9F |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_10017194 |
3_2_10017194 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_1000B5C1 |
3_2_1000B5C1 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_0044B040 |
5_2_0044B040 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_0043610D |
5_2_0043610D |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_00447310 |
5_2_00447310 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_0044A490 |
5_2_0044A490 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_0040755A |
5_2_0040755A |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_0043C560 |
5_2_0043C560 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_0044B610 |
5_2_0044B610 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_0044D6C0 |
5_2_0044D6C0 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_004476F0 |
5_2_004476F0 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_0044B870 |
5_2_0044B870 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_0044081D |
5_2_0044081D |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_00414957 |
5_2_00414957 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_004079EE |
5_2_004079EE |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_00407AEB |
5_2_00407AEB |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_0044AA80 |
5_2_0044AA80 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_00412AA9 |
5_2_00412AA9 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_00404B74 |
5_2_00404B74 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_00404B03 |
5_2_00404B03 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_0044BBD8 |
5_2_0044BBD8 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_00404BE5 |
5_2_00404BE5 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_00404C76 |
5_2_00404C76 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_00415CFE |
5_2_00415CFE |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_00416D72 |
5_2_00416D72 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_00446D30 |
5_2_00446D30 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_00446D8B |
5_2_00446D8B |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_00406E8F |
5_2_00406E8F |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_00405038 |
6_2_00405038 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_0041208C |
6_2_0041208C |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_004050A9 |
6_2_004050A9 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_0040511A |
6_2_0040511A |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_0043C13A |
6_2_0043C13A |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_004051AB |
6_2_004051AB |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_00449300 |
6_2_00449300 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_0040D322 |
6_2_0040D322 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_0044A4F0 |
6_2_0044A4F0 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_0043A5AB |
6_2_0043A5AB |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_00413631 |
6_2_00413631 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_00446690 |
6_2_00446690 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_0044A730 |
6_2_0044A730 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_004398D8 |
6_2_004398D8 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_004498E0 |
6_2_004498E0 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_0044A886 |
6_2_0044A886 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_0043DA09 |
6_2_0043DA09 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_00438D5E |
6_2_00438D5E |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_00449ED0 |
6_2_00449ED0 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_0041FE83 |
6_2_0041FE83 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_00430F54 |
6_2_00430F54 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 7_2_004050C2 |
7_2_004050C2 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 7_2_004014AB |
7_2_004014AB |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 7_2_00405133 |
7_2_00405133 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 7_2_004051A4 |
7_2_004051A4 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 7_2_00401246 |
7_2_00401246 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 7_2_0040CA46 |
7_2_0040CA46 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 7_2_00405235 |
7_2_00405235 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 7_2_004032C8 |
7_2_004032C8 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 7_2_00401689 |
7_2_00401689 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 7_2_00402F60 |
7_2_00402F60 |
Source: 0.2.rYhL.exe.43e9970.2.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.rYhL.exe.43e9970.2.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.rYhL.exe.43e9970.2.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 3.2.rYhL.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 3.2.rYhL.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 3.2.rYhL.exe.400000.0.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 3.2.rYhL.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 3.2.rYhL.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 3.2.rYhL.exe.400000.0.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.rYhL.exe.46254b8.1.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.rYhL.exe.46254b8.1.unpack, type: UNPACKEDPE |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 0.2.rYhL.exe.46254b8.1.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.rYhL.exe.46254b8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.rYhL.exe.46254b8.1.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 0.2.rYhL.exe.43e9970.2.raw.unpack, type: UNPACKEDPE |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 0.2.rYhL.exe.43e9970.2.raw.unpack, type: UNPACKEDPE |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000003.00000002.4483663867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: 00000003.00000002.4483663867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda |
Source: 00000003.00000002.4483663867.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY |
Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) |
Source: 00000000.00000002.2038533702.00000000043E9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: rYhL.exe PID: 6196, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: Process Memory Space: rYhL.exe PID: 5884, type: MEMORYSTR |
Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23 |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: mscoree.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: vcruntime140_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: ucrtbase_clr0400.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: dwrite.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: windowscodecs.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: amsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: gpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: winmm.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: urlmon.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: iertutil.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: srvcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: netutils.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: iphlpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: rstrtmgr.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: ncrypt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: ntasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: mswsock.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: profapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: ondemandconnroutehelper.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: winhttp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: winnsi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: dnsapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: rasadhlp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: fwpuclnt.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: wininet.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: pstorec.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: vaultcli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: dpapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: pstorec.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: msasn1.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: sspicli.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: cryptsp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: rsaenh.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, aaRSXXvuBsjyuyfiLYU.cs |
High entropy of concatenated method names: 'UvURkGWbnU', 'eiDR8vEDlO', 'D1TRDf8ytH', 'geuRFb6f2v', 'RNpRHMF3cS', 'OfrRcBtFoW', 'OixRSaQxfL', 'c1QR7Zh7Q1', 'qLlRmibdDw', 'hmMRghCHld' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, vkXLbm7NbFnAyYgoFU.cs |
High entropy of concatenated method names: 'fVCr6LAjfm', 'hQMrtjYVJ9', 'W1nrKVhkfb', 'bn3rpoqNvC', 'EAhrjR6IVp', 'ekaraYMXRI', 'P95rqtCD6i', 'JT6rfPNNfN', 'zh2rwQvvTR', 'dlGrTHb7WC' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, qUZ0TLKvpjmBmjCs0Z.cs |
High entropy of concatenated method names: 'ToString', 'hFv3dtGQkN', 'ltH3oeW89a', 'rAf3Lfdmpa', 'sxJ3CYZKCr', 'Ypm3NwgnGT', 'oyv30KpNZ0', 'SEw32H0i4P', 'uEE3MkLNxo', 'Tvt3VaRWOw' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, t47C6FanJW2IRtMone.cs |
High entropy of concatenated method names: 'aCBnfDd3sW', 'GLfnTV5ZlI', 'mkJxuArBkV', 'g0jxvOhpxV', 'kR4nd7I6hy', 'AETnGyQ0uf', 'mSMnh7cbZ0', 'nLwn6T7f8L', 'WHcntbdV8u', 'YFknKmlQg4' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, sDhaTspB15XLIKojId.cs |
High entropy of concatenated method names: 'CyHneRPhaO', 'EmPnUueO22', 'ToString', 'Ih8nsY13VG', 'UrknruHEXQ', 'ASDn4RKwf0', 'fx8ni0s9ke', 'zOnnyUVqJo', 'zQcnEaydNM', 'qJEnZCqQN7' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, vdGwgCrHxthcFkMiiA.cs |
High entropy of concatenated method names: 'Dispose', 'EhWvwKyWh8', 'YvYbo4pDrk', 'TySNNKgLM2', 'ykkvTGZd6Z', 'BOZvzS6eUh', 'ProcessDialogKey', 'mOsbuCHqyL', 'bJXbvfcRJj', 'bMhbbQFthi' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, cdfytObNftiyQAe8gg.cs |
High entropy of concatenated method names: 'lnkDXBemJ', 'vegFXFkPL', 'ceYcLWRxT', 'iPgSSF5ZN', 'hULmAXjF6', 'TdZgAkVVb', 'IFoiSdpYraExHl5DMK', 'JDbUFhBKJKcS69KI7o', 'aRMxRUlQK', 'HoSOefNaQ' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, hTjWrY9nVoo7wOdi4l.cs |
High entropy of concatenated method names: 'I3ByQuNF0s', 'atMyrm70ss', 'iE4yirAroT', 'FmRyE0DEtv', 'AawyZSTIwB', 'aKrijRpcIu', 'jJAiaDt9Gn', 'jNviq3HTr5', 'jlEifxG6Ny', 'pjtiwrpvi1' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, fCHqyLwbJXfcRJjvMh.cs |
High entropy of concatenated method names: 'Xnux9lJuMo', 'If1xolRhqd', 'XbwxLyQg8J', 'prXxCZf6oX', 'JEqx6b4cMF', 'FDRxN2yNIP', 'Next', 'Next', 'Next', 'NextBytes' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, eFthi8TAUxRR5bHAiU.cs |
High entropy of concatenated method names: 'qGvRvtSHoU', 'oTQRJPQFiv', 'IaORXI1dvx', 'ac2Rs2G71P', 'DnsRroC82F', 'LZ2RioLrmF', 'J3JRyMX8pJ', 'mbMxqVriHx', 'jZUxfJnHfQ', 'NJUxwBbhbt' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, XpdWtb4umxlLfesgQn.cs |
High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'q9pbwcOBi0', 'PfdbTO2Nt5', 'YZZbzFQL44', 'MwuJuXpvGu', 'tTgJvc6tNn', 'I1XJbNKhf5', 'nKyJJlPYKI', 'cAhvAr9kWPbTSdSErwx' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, zW003qVEqy4LsncnKp.cs |
High entropy of concatenated method names: 'a25Ekvvl8N', 'bJiE89P498', 'JfdEDZWxlO', 'EOFEFaDVcS', 'Y2LEH2GZI7', 'nklEcOaV8E', 'ejuESB65wj', 'R0TE7VYtpg', 'UJxEmCj7wm', 'zBvEgJRsSs' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, QuLU3JmOcE6ek5yCM5.cs |
High entropy of concatenated method names: 'xhV4FxEVU4', 'xVi4c8qxgq', 'hQJ47IhOEY', 'UA34mTriwi', 'mmH4WVNE0U', 'iiI43raTMa', 'G1j4ni2PuC', 'wOT4xjeqBc', 'qfV4RICMmC', 'IHY4OJqJUn' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, WULmnpvJPSTP1wKRcbl.cs |
High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Q41O6Q7jV5', 'B2rOt65Lm1', 'mrVOKETOsA', 'CN7OpdM0Sh', 'VlmOjoJJcn', 'svwOa1HL9f', 'UdNOqJMUfG' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, sJupmGX8IJy1fHSesh.cs |
High entropy of concatenated method names: 'kPBvEkXLbm', 'JbFvZnAyYg', 'cOcveE6ek5', 'iCMvU5bw4A', 'ARXvWki4Tj', 'orYv3nVoo7', 'vXfeQogNeDBXoelt1I', 'AH0vc5N8dJMNF1BGt0', 'vjlSQn2RYAsOkbDvV2', 'Ikovv3sqKN' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, cw4AivgiefADYHRXki.cs |
High entropy of concatenated method names: 'QVEiHFx8Fb', 'NieiSWMCNd', 'jDv4Lk0REX', 'UTa4C8M1Vg', 'Gby4NUbQBv', 'nKP40G6kK3', 'Lxt42vieFV', 'XYD4M3H2CT', 'lJ24VSk8Sp', 'obf4YCSa69' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, ixi1ym6907T2vrAhpl.cs |
High entropy of concatenated method names: 'QpiWYX7DX9', 'vAtWGX7NHo', 'bp3W6jTGvY', 'SZWWtmMEuq', 'RwvWoT9N54', 'e3pWLBTVGM', 'eFWWCHk2dl', 'rJ2WNjNG4Z', 'xw3W09AeUv', 'yTIW2dE6sk' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, h7g8jtZpJbQb8YJRQy.cs |
High entropy of concatenated method names: 'D2PJQZwdB6', 'uV3JssbYmv', 'uWBJrG5SKY', 'M8UJ4kGLfi', 'gQsJi0DIZG', 'KWwJyknkLF', 'FlkJEbc3pe', 'eXZJZfIxAl', 'iHMJIMRk1U', 'UR4JeaOemM' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, MICTxRhm36R84StVrh.cs |
High entropy of concatenated method names: 'Gtx57XkqWu', 'or45m0919c', 'eKE59ditxZ', 'kvv5oqmNif', 'd3v5C3ura2', 'bjX5NR0nLq', 'yKj52yMXVR', 'Y1l5MOVZjP', 'uaJ5YeEA5q', 'AhH5dkJVHE' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, xkGZd6fZHOZS6eUheO.cs |
High entropy of concatenated method names: 'T98xsys8Yn', 'UWRxrdF981', 'NGDx4AiCYb', 'PZTxianyGC', 'h8Gxy0bdqc', 'kHSxEaT1DY', 'SL7xZ9rt7g', 'g6HxIVT0UI', 'TcXxeZIO3r', 'XBbxUiO8Za' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, QWQ2y62JMaVrHeR1wk.cs |
High entropy of concatenated method names: 'iNYEsP4eha', 'BOLE4QmrVA', 'wF8EyvUSUo', 'eBQyTV06VK', 'Whyyz5MHet', 'iobEuUOtXF', 'H1wEvAtxGq', 'HXUEbhe2ER', 'yYtEJoU9DG', 'RowEXTxg5I' |
Source: 0.2.rYhL.exe.456ae98.3.raw.unpack, gandkHvbtWxhOw37mhh.cs |
High entropy of concatenated method names: 'qe1Oki3pX6', 'GtqO8KQoIm', 'EVDOD4sr1T', 'fp6B2X4N2gSexjeMARF', 'RrkAwS42UhZycXolIR1', 'tWtdYH4gJn3nSjLpj5x' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, aaRSXXvuBsjyuyfiLYU.cs |
High entropy of concatenated method names: 'UvURkGWbnU', 'eiDR8vEDlO', 'D1TRDf8ytH', 'geuRFb6f2v', 'RNpRHMF3cS', 'OfrRcBtFoW', 'OixRSaQxfL', 'c1QR7Zh7Q1', 'qLlRmibdDw', 'hmMRghCHld' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, vkXLbm7NbFnAyYgoFU.cs |
High entropy of concatenated method names: 'fVCr6LAjfm', 'hQMrtjYVJ9', 'W1nrKVhkfb', 'bn3rpoqNvC', 'EAhrjR6IVp', 'ekaraYMXRI', 'P95rqtCD6i', 'JT6rfPNNfN', 'zh2rwQvvTR', 'dlGrTHb7WC' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, qUZ0TLKvpjmBmjCs0Z.cs |
High entropy of concatenated method names: 'ToString', 'hFv3dtGQkN', 'ltH3oeW89a', 'rAf3Lfdmpa', 'sxJ3CYZKCr', 'Ypm3NwgnGT', 'oyv30KpNZ0', 'SEw32H0i4P', 'uEE3MkLNxo', 'Tvt3VaRWOw' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, t47C6FanJW2IRtMone.cs |
High entropy of concatenated method names: 'aCBnfDd3sW', 'GLfnTV5ZlI', 'mkJxuArBkV', 'g0jxvOhpxV', 'kR4nd7I6hy', 'AETnGyQ0uf', 'mSMnh7cbZ0', 'nLwn6T7f8L', 'WHcntbdV8u', 'YFknKmlQg4' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, sDhaTspB15XLIKojId.cs |
High entropy of concatenated method names: 'CyHneRPhaO', 'EmPnUueO22', 'ToString', 'Ih8nsY13VG', 'UrknruHEXQ', 'ASDn4RKwf0', 'fx8ni0s9ke', 'zOnnyUVqJo', 'zQcnEaydNM', 'qJEnZCqQN7' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, vdGwgCrHxthcFkMiiA.cs |
High entropy of concatenated method names: 'Dispose', 'EhWvwKyWh8', 'YvYbo4pDrk', 'TySNNKgLM2', 'ykkvTGZd6Z', 'BOZvzS6eUh', 'ProcessDialogKey', 'mOsbuCHqyL', 'bJXbvfcRJj', 'bMhbbQFthi' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, cdfytObNftiyQAe8gg.cs |
High entropy of concatenated method names: 'lnkDXBemJ', 'vegFXFkPL', 'ceYcLWRxT', 'iPgSSF5ZN', 'hULmAXjF6', 'TdZgAkVVb', 'IFoiSdpYraExHl5DMK', 'JDbUFhBKJKcS69KI7o', 'aRMxRUlQK', 'HoSOefNaQ' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, hTjWrY9nVoo7wOdi4l.cs |
High entropy of concatenated method names: 'I3ByQuNF0s', 'atMyrm70ss', 'iE4yirAroT', 'FmRyE0DEtv', 'AawyZSTIwB', 'aKrijRpcIu', 'jJAiaDt9Gn', 'jNviq3HTr5', 'jlEifxG6Ny', 'pjtiwrpvi1' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, fCHqyLwbJXfcRJjvMh.cs |
High entropy of concatenated method names: 'Xnux9lJuMo', 'If1xolRhqd', 'XbwxLyQg8J', 'prXxCZf6oX', 'JEqx6b4cMF', 'FDRxN2yNIP', 'Next', 'Next', 'Next', 'NextBytes' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, eFthi8TAUxRR5bHAiU.cs |
High entropy of concatenated method names: 'qGvRvtSHoU', 'oTQRJPQFiv', 'IaORXI1dvx', 'ac2Rs2G71P', 'DnsRroC82F', 'LZ2RioLrmF', 'J3JRyMX8pJ', 'mbMxqVriHx', 'jZUxfJnHfQ', 'NJUxwBbhbt' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, XpdWtb4umxlLfesgQn.cs |
High entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'q9pbwcOBi0', 'PfdbTO2Nt5', 'YZZbzFQL44', 'MwuJuXpvGu', 'tTgJvc6tNn', 'I1XJbNKhf5', 'nKyJJlPYKI', 'cAhvAr9kWPbTSdSErwx' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, zW003qVEqy4LsncnKp.cs |
High entropy of concatenated method names: 'a25Ekvvl8N', 'bJiE89P498', 'JfdEDZWxlO', 'EOFEFaDVcS', 'Y2LEH2GZI7', 'nklEcOaV8E', 'ejuESB65wj', 'R0TE7VYtpg', 'UJxEmCj7wm', 'zBvEgJRsSs' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, QuLU3JmOcE6ek5yCM5.cs |
High entropy of concatenated method names: 'xhV4FxEVU4', 'xVi4c8qxgq', 'hQJ47IhOEY', 'UA34mTriwi', 'mmH4WVNE0U', 'iiI43raTMa', 'G1j4ni2PuC', 'wOT4xjeqBc', 'qfV4RICMmC', 'IHY4OJqJUn' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, WULmnpvJPSTP1wKRcbl.cs |
High entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Q41O6Q7jV5', 'B2rOt65Lm1', 'mrVOKETOsA', 'CN7OpdM0Sh', 'VlmOjoJJcn', 'svwOa1HL9f', 'UdNOqJMUfG' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, sJupmGX8IJy1fHSesh.cs |
High entropy of concatenated method names: 'kPBvEkXLbm', 'JbFvZnAyYg', 'cOcveE6ek5', 'iCMvU5bw4A', 'ARXvWki4Tj', 'orYv3nVoo7', 'vXfeQogNeDBXoelt1I', 'AH0vc5N8dJMNF1BGt0', 'vjlSQn2RYAsOkbDvV2', 'Ikovv3sqKN' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, cw4AivgiefADYHRXki.cs |
High entropy of concatenated method names: 'QVEiHFx8Fb', 'NieiSWMCNd', 'jDv4Lk0REX', 'UTa4C8M1Vg', 'Gby4NUbQBv', 'nKP40G6kK3', 'Lxt42vieFV', 'XYD4M3H2CT', 'lJ24VSk8Sp', 'obf4YCSa69' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, ixi1ym6907T2vrAhpl.cs |
High entropy of concatenated method names: 'QpiWYX7DX9', 'vAtWGX7NHo', 'bp3W6jTGvY', 'SZWWtmMEuq', 'RwvWoT9N54', 'e3pWLBTVGM', 'eFWWCHk2dl', 'rJ2WNjNG4Z', 'xw3W09AeUv', 'yTIW2dE6sk' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, h7g8jtZpJbQb8YJRQy.cs |
High entropy of concatenated method names: 'D2PJQZwdB6', 'uV3JssbYmv', 'uWBJrG5SKY', 'M8UJ4kGLfi', 'gQsJi0DIZG', 'KWwJyknkLF', 'FlkJEbc3pe', 'eXZJZfIxAl', 'iHMJIMRk1U', 'UR4JeaOemM' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, MICTxRhm36R84StVrh.cs |
High entropy of concatenated method names: 'Gtx57XkqWu', 'or45m0919c', 'eKE59ditxZ', 'kvv5oqmNif', 'd3v5C3ura2', 'bjX5NR0nLq', 'yKj52yMXVR', 'Y1l5MOVZjP', 'uaJ5YeEA5q', 'AhH5dkJVHE' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, xkGZd6fZHOZS6eUheO.cs |
High entropy of concatenated method names: 'T98xsys8Yn', 'UWRxrdF981', 'NGDx4AiCYb', 'PZTxianyGC', 'h8Gxy0bdqc', 'kHSxEaT1DY', 'SL7xZ9rt7g', 'g6HxIVT0UI', 'TcXxeZIO3r', 'XBbxUiO8Za' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, QWQ2y62JMaVrHeR1wk.cs |
High entropy of concatenated method names: 'iNYEsP4eha', 'BOLE4QmrVA', 'wF8EyvUSUo', 'eBQyTV06VK', 'Whyyz5MHet', 'iobEuUOtXF', 'H1wEvAtxGq', 'HXUEbhe2ER', 'yYtEJoU9DG', 'RowEXTxg5I' |
Source: 0.2.rYhL.exe.74f0000.4.raw.unpack, gandkHvbtWxhOw37mhh.cs |
High entropy of concatenated method names: 'qe1Oki3pX6', 'GtqO8KQoIm', 'EVDOD4sr1T', 'fp6B2X4N2gSexjeMARF', 'RrkAwS42UhZycXolIR1', 'tWtdYH4gJn3nSjLpj5x' |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0040928E __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
3_2_0040928E |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0041C322 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose, |
3_2_0041C322 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0040C388 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose, |
3_2_0040C388 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_004096A0 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose, |
3_2_004096A0 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_00408847 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose, |
3_2_00408847 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_00407877 FindFirstFileW,FindNextFileW, |
3_2_00407877 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0044E8F9 FindFirstFileExA, |
3_2_0044E8F9 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0040BB6B FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose, |
3_2_0040BB6B |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_00419B86 FindFirstFileW,FindNextFileW,FindNextFileW, |
3_2_00419B86 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_0040BD72 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose, |
3_2_0040BD72 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_100010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
3_2_100010F1 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 3_2_10006580 FindFirstFileExA, |
3_2_10006580 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 5_2_0040AE51 FindFirstFileW,FindNextFileW, |
5_2_0040AE51 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 6_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen, |
6_2_00407EF8 |
Source: C:\Users\user\Desktop\rYhL.exe |
Code function: 7_2_00407898 FindFirstFileA,FindNextFileA,strlen,strlen, |
7_2_00407898 |