Windows Analysis Report
epht1Y3TGZ.exe

Overview

General Information

Sample name:	epht1Y3TGZ.exe renamed because original name is a hash value
Original sample name:	25860926414bf43383246f7c773a8d6c.exe
Analysis ID:	1518342
MD5:	25860926414bf43383246f7c773a8d6c
SHA1:	760390a4a14df085f4c841067f52c79409cdc93e
SHA256:	a8e552944846a2f5e8fefea4a250046da29d74d1f58f7a868258e6ded9597958
Tags:	exeuser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Writes to foreign memory regions

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\iikbjmsy	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\fsfj	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\mtdwpx	Avira: detection malicious, Label: BDS/Backdoor.Gen

Found malware configuration

Source: 15.2.cmd.exe.56c00c8.7.raw.unpack

Malware Configuration Extractor: Remcos {"Version": "5.1.1 Pro", "Host:Port:Password": "fullimmersion777.com:8090:0", "Assigned name": "Back-September", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "hello.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "rimcsl-94LESJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\iikbjmsy	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\fsfj	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\mtdwpx	Joe Sandbox ML: detected

Source: cmd.exe, 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_b1ac216d-e

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 15.2.cmd.exe.5155b57.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DZIPR.exe.358b5ce.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DZIPR.exe.358a9ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.5156757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.51a1b57.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.explorer.exe.461e757.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.explorer.exe.48a2757.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.explorer.exe.45d8a8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DZIPR.exe.3545901.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.explorer.exe.461db57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.515ca8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.51a2757.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5219b57.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.explorer.exe.48a1b57.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.explorer.exe.4fd6a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.explorer.exe.501c757.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.5110a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.521a757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.explorer.exe.485ca8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.explorer.exe.501bb57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.51d4a8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DZIPR.exe PID: 6864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED

Uses 32bit PE files

Source: epht1Y3TGZ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: msacm32.pdbUGP source: cmd.exe, 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125375066.00000000027C2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217610841.0000000002722000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2391902777.00000000030C2000.00000008.00000001.01000000.00000000.sdmp, iikbjmsy.15.dr, fsfj.3.dr, mtdwpx.10.dr
Source:	Binary string: msacm32.pdb source: cmd.exe, 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125375066.00000000027C2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217610841.0000000002722000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2391902777.00000000030C2000.00000008.00000001.01000000.00000000.sdmp, iikbjmsy.15.dr, fsfj.3.dr, mtdwpx.10.dr
Source:	Binary string: wntdll.pdbUGP source: DZIPR.exe, 00000001.00000002.1766986120.0000000003637000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1767892447.0000000003990000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125654234.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125276347.0000000004E25000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218110243.0000000005240000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217828864.0000000004DA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125976766.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125744520.0000000004714000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217750173.0000000004477000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2218057626.0000000004940000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391745006.0000000004D6D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392082164.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392370706.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392079481.0000000004C21000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DZIPR.exe, 00000001.00000002.1766986120.0000000003637000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1767892447.0000000003990000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125654234.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125276347.0000000004E25000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218110243.0000000005240000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217828864.0000000004DA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125976766.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125744520.0000000004714000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217750173.0000000004477000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2218057626.0000000004940000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391745006.0000000004D6D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392082164.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392370706.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392079481.0000000004C21000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\App\DZIPR\SDFRM\Release\SDFRM.pdb source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002724000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmp, DZIPR.exe, 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmp, DZIPR.exe, 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmp

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040301A
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402B79
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC8748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	1_2_6CC8748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C89748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	2_2_6C89748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F89748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	9_2_6F89748E

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: fullimmersion777.com

Source: DZIPR.exe, 00000001.00000002.1765606333.00000000033ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c0rl.m%L
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1765606333.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://support.datanumen.com
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: DZIPR.exe, 00000001.00000002.1766393271.00000000034E8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.0000000005185000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.000000000510D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.0000000004589000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.000000000480D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.00000000050C1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.repairfile.com
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1765606333.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.datanumen.com/zip-repair/
Source: DZIPR.exe, 00000001.00000002.1765606333.00000000033ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.c
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Potential key logger detected (key state polling based)

Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC904EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	1_2_6CC904EE
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A04EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	2_2_6C8A04EE
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A04EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	9_2_6F8A04EE

Yara detected Keylogger Generic

Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.cmd.exe.5155b57.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.DZIPR.exe.358b5ce.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.DZIPR.exe.358a9ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.5156757.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.cmd.exe.51a1b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.explorer.exe.461e757.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.explorer.exe.48a2757.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.explorer.exe.45d8a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.DZIPR.exe.3545901.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.explorer.exe.461db57.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.cmd.exe.515ca8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.cmd.exe.51a2757.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.5219b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.explorer.exe.48a1b57.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.explorer.exe.4fd6a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.explorer.exe.501c757.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.5110a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.521a757.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.explorer.exe.485ca8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.explorer.exe.501bb57.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.51d4a8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A0D95 NtdllDefWindowProc_W,	9_2_6F8A0D95
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A2932 _memset,NtdllDefWindowProc_W,	9_2_6F8A2932
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F89E5F6 NtdllDefWindowProc_W,CallWindowProcW,	9_2_6F89E5F6

Creates files inside the system directory

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\lnfast_x64.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_00404FAA	0_2_00404FAA
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_0041206B	0_2_0041206B
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_0041022D	0_2_0041022D
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_00411F91	0_2_00411F91
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC85E70	1_2_6CC85E70
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC863F0	1_2_6CC863F0
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC85CA0	1_2_6CC85CA0
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CCA2CBB	1_2_6CCA2CBB
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC96C6C	1_2_6CC96C6C
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC91D85	1_2_6CC91D85
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC9AE45	1_2_6CC9AE45
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CCA3E3B	1_2_6CCA3E3B
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC95FB7	1_2_6CC95FB7
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CCA586C	1_2_6CCA586C
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC96860	1_2_6CC96860
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC9648C	1_2_6CC9648C
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC817D0	1_2_6CC817D0
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CCA3743	1_2_6CCA3743
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC81739	1_2_6CC81739
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC81730	1_2_6CC81730
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC9708C	1_2_6CC9708C
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CCA31FF	1_2_6CCA31FF
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C895E70	2_2_6C895E70
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8963F0	2_2_6C8963F0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C895CA0	2_2_6C895CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8B2CBB	2_2_6C8B2CBB
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A6C6C	2_2_6C8A6C6C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A1D85	2_2_6C8A1D85
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8B3E3B	2_2_6C8B3E3B
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8AAE45	2_2_6C8AAE45
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A5FB7	2_2_6C8A5FB7
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8B586C	2_2_6C8B586C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A6860	2_2_6C8A6860
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A648C	2_2_6C8A648C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8917D0	2_2_6C8917D0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C891731	2_2_6C891731
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C891730	2_2_6C891730
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8B3743	2_2_6C8B3743
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A708C	2_2_6C8A708C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8B31FF	2_2_6C8B31FF
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F895E70	9_2_6F895E70
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8963F0	9_2_6F8963F0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A5FB7	9_2_6F8A5FB7
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8B3E3B	9_2_6F8B3E3B
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8AAE45	9_2_6F8AAE45
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A1D85	9_2_6F8A1D85
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F895CA0	9_2_6F895CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8B2CBB	9_2_6F8B2CBB
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A6C6C	9_2_6F8A6C6C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8B586C	9_2_6F8B586C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A6860	9_2_6F8A6860
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8917D0	9_2_6F8917D0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F891731	9_2_6F891731
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F891730	9_2_6F891730
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8B3743	9_2_6F8B3743
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A648C	9_2_6F8A648C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8B31FF	9_2_6F8B31FF
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A708C	9_2_6F8A708C

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\fsfj 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\iikbjmsy 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\mtdwpx 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F

Found potential string decryption / allocating functions

Source: C:\Users\user\DZIPR.exe	Code function: String function: 6CC953BC appears 48 times
Source: C:\Users\user\DZIPR.exe	Code function: String function: 6CC950C9 appears 66 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6C8A53BC appears 48 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6F8A50C9 appears 65 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6F8A53BC appears 48 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6C8A50C9 appears 65 times
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: String function: 0040243B appears 37 times

Sample file is different than original file name gathered from version info

Source: epht1Y3TGZ.exe, 00000000.00000003.1726094333.000000000252D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs epht1Y3TGZ.exe
Source: epht1Y3TGZ.exe, 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs epht1Y3TGZ.exe
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002724000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDZIPR.DLL4 vs epht1Y3TGZ.exe
Source: epht1Y3TGZ.exe	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs epht1Y3TGZ.exe

Uses 32bit PE files

Source: epht1Y3TGZ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 15.2.cmd.exe.5155b57.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.DZIPR.exe.358b5ce.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.DZIPR.exe.358a9ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.5156757.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.cmd.exe.51a1b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.explorer.exe.461e757.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.explorer.exe.48a2757.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.explorer.exe.45d8a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.DZIPR.exe.3545901.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.explorer.exe.461db57.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.cmd.exe.515ca8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.cmd.exe.51a2757.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.5219b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.explorer.exe.48a1b57.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.explorer.exe.4fd6a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.explorer.exe.501c757.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.5110a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.521a757.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.explorer.exe.485ca8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.explorer.exe.501bb57.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.51d4a8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@22/16@0/0

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00407776

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,

0_2_0040118A

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_004034C1

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

0_2_00401BDF

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

File created: C:\Users\user\ekqqtq

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe

File created: C:\Users\user\AppData\Local\Temp\a1ba81aa

Jump to behavior

Source: Yara match	File source: 1.0.DZIPR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1739235026.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1736102615.000000000277A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\DZIPR.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe, type: DROPPED

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: epht1Y3TGZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

File read: C:\Users\user\Desktop\epht1Y3TGZ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\epht1Y3TGZ.exe "C:\Users\user\Desktop\epht1Y3TGZ.exe"
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"
Source: C:\Users\user\DZIPR.exe	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe "C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe"
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior

Source: oahisshhqlvln.3.dr

LNK file: ..\..\Roaming\Ruy_driverv2\DZIPR.exe

Source: epht1Y3TGZ.exe

Static file information: File size 4809996 > 1048576

Source:	Binary string: msacm32.pdbUGP source: cmd.exe, 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125375066.00000000027C2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217610841.0000000002722000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2391902777.00000000030C2000.00000008.00000001.01000000.00000000.sdmp, iikbjmsy.15.dr, fsfj.3.dr, mtdwpx.10.dr
Source:	Binary string: msacm32.pdb source: cmd.exe, 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125375066.00000000027C2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217610841.0000000002722000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2391902777.00000000030C2000.00000008.00000001.01000000.00000000.sdmp, iikbjmsy.15.dr, fsfj.3.dr, mtdwpx.10.dr
Source:	Binary string: wntdll.pdbUGP source: DZIPR.exe, 00000001.00000002.1766986120.0000000003637000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1767892447.0000000003990000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125654234.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125276347.0000000004E25000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218110243.0000000005240000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217828864.0000000004DA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125976766.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125744520.0000000004714000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217750173.0000000004477000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2218057626.0000000004940000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391745006.0000000004D6D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392082164.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392370706.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392079481.0000000004C21000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DZIPR.exe, 00000001.00000002.1766986120.0000000003637000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1767892447.0000000003990000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125654234.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125276347.0000000004E25000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218110243.0000000005240000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217828864.0000000004DA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125976766.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125744520.0000000004714000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217750173.0000000004477000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2218057626.0000000004940000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391745006.0000000004D6D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392082164.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392370706.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392079481.0000000004C21000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\App\DZIPR\SDFRM\Release\SDFRM.pdb source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002724000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmp, DZIPR.exe, 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmp, DZIPR.exe, 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

PE file contains an invalid checksum

Source: DZIPR.dll.0.dr	Static PE information: real checksum: 0x601f9 should be: 0x5ee7e
Source: DZIPR.dll.1.dr	Static PE information: real checksum: 0x601f9 should be: 0x5ee7e
Source: epht1Y3TGZ.exe	Static PE information: real checksum: 0x33302 should be: 0x4a3c93
Source: mtdwpx.10.dr	Static PE information: real checksum: 0x0 should be: 0x7d505
Source: fsfj.3.dr	Static PE information: real checksum: 0x0 should be: 0x7d505
Source: iikbjmsy.15.dr	Static PE information: real checksum: 0x0 should be: 0x7d505

PE file contains sections with non-standard names

Source: DZIPR.exe.0.dr	Static PE information: section name: .didata
Source: DZIPR.exe.1.dr	Static PE information: section name: .didata
Source: fsfj.3.dr	Static PE information: section name: cmxvoc
Source: mtdwpx.10.dr	Static PE information: section name: cmxvoc
Source: iikbjmsy.15.dr	Static PE information: section name: cmxvoc

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_00411C20 push eax; ret	0_2_00411C4E
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC95401 push ecx; ret	1_2_6CC95414
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC951A1 push ecx; ret	1_2_6CC951B4
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A5401 push ecx; ret	2_2_6C8A5414
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A51A1 push ecx; ret	2_2_6C8A51B4
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A5401 push ecx; ret	9_2_6F8A5414
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A51A1 push ecx; ret	9_2_6F8A51B4

Drops PE files

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	File created: C:\Users\user\DZIPR.exe	Jump to dropped file
Source: C:\Users\user\DZIPR.exe	File created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Jump to dropped file
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	File created: C:\Users\user\DZIPR.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\fsfj	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\mtdwpx	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\iikbjmsy	Jump to dropped file
Source: C:\Users\user\DZIPR.exe	File created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.dll	Jump to dropped file

Drops PE files to the user directory

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	File created: C:\Users\user\DZIPR.exe			Jump to dropped file
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	File created: C:\Users\user\DZIPR.dll			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\fsfj	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\mtdwpx	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\iikbjmsy	Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	File created: C:\Users\user\DZIPR.exe			Jump to dropped file
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	File created: C:\Users\user\DZIPR.dll			Jump to dropped file

Creates job files (autostart)

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\lnfast_x64.job

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\FSFJ
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\MTDWPX
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\IIKBJMSY

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC8DE29 IsIconic,GetWindowPlacement,GetWindowRect,	1_2_6CC8DE29
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C89DE29 IsIconic,GetWindowPlacement,GetWindowRect,	2_2_6C89DE29
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F89DE29 IsIconic,GetWindowPlacement,GetWindowRect,	9_2_6F89DE29

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\DZIPR.exe	API/Special instruction interceptor: Address: 6C977C44
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API/Special instruction interceptor: Address: 6C977C44
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API/Special instruction interceptor: Address: 6C977945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6C973B54
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 2DA317

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fsfj	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mtdwpx	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iikbjmsy	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Users\user\DZIPR.exe	API coverage: 4.5 %
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API coverage: 4.7 %
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API coverage: 4.5 %

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040301A
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402B79
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC8748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	1_2_6CC8748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C89748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	2_2_6C89748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F89748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	9_2_6F89748E

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: DZIPR.exe, 00000001.00000002.1765606333.00000000033ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6vmware
Source: explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0

Source: C:\Users\user\DZIPR.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\DZIPR.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\DZIPR.exe

Code function: 1_2_6CC93F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_6CC93F34

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Contains functionality to read the PEB

Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC85CA0 mov eax, dword ptr fs:[00000030h]	1_2_6CC85CA0
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC85D78 mov eax, dword ptr fs:[00000030h]	1_2_6CC85D78
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C895CA0 mov eax, dword ptr fs:[00000030h]	2_2_6C895CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C895D78 mov eax, dword ptr fs:[00000030h]	2_2_6C895D78
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F895D78 mov eax, dword ptr fs:[00000030h]	9_2_6F895D78
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F895CA0 mov eax, dword ptr fs:[00000030h]	9_2_6F895CA0

Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC9CE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6CC9CE5C
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC93F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6CC93F34
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC98034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6CC98034
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8ACE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C8ACE5C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A3F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6C8A3F34
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A8034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6C8A8034
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A3F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_6F8A3F34
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8ACE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_6F8ACE5C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A8034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_6F8A8034

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6F902C26	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6C8FCE9B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6F902B04	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6C8966A2	Jump to behavior
Source: C:\Users\user\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6CC866A2	Jump to behavior
Source: C:\Users\user\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6F8966A2	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2336 base: 2D79C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2336 base: 2740000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 4280 base: 2D79C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 4280 base: 26A0000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6752 base: 2D79C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6752 base: 3040000 value: 00	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2D79C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2740000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2D79C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 26A0000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2D79C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 3040000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_0040D72E cpuid

0_2_0040D72E

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,	0_2_00401F9D
Source: C:\Users\user\DZIPR.exe	Code function: GetLocaleInfoA,	1_2_6CCA4DBC
Source: C:\Users\user\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	1_2_6CC889B5
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoA,	2_2_6C8B4DBC
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	2_2_6C8989B5
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoA,	9_2_6F8B4DBC
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	9_2_6F8989B5

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

0_2_00401626

Source: C:\Users\user\DZIPR.exe

Code function: 1_2_6CC9D72B __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

1_2_6CC9D72B

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

0_2_00404FAA

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
fullimmersion777.com	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\iikbjmsy	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\fsfj	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\mtdwpx	Avira: detection malicious, Label: BDS/Backdoor.Gen

Found malware configuration

Source: 15.2.cmd.exe.56c00c8.7.raw.unpack

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\iikbjmsy	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\fsfj	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\mtdwpx	Joe Sandbox ML: detected

Source: cmd.exe, 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_b1ac216d-e

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 15.2.cmd.exe.5155b57.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DZIPR.exe.358b5ce.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DZIPR.exe.358a9ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.5156757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.51a1b57.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.explorer.exe.461e757.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.explorer.exe.48a2757.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.explorer.exe.45d8a8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.DZIPR.exe.3545901.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.explorer.exe.461db57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.515ca8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.51a2757.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5219b57.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.explorer.exe.48a1b57.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.explorer.exe.4fd6a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.explorer.exe.501c757.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.5110a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.521a757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.explorer.exe.485ca8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.explorer.exe.501bb57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.51d4a8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DZIPR.exe PID: 6864, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED

Uses 32bit PE files

Source: epht1Y3TGZ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:	Binary string: msacm32.pdbUGP source: cmd.exe, 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125375066.00000000027C2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217610841.0000000002722000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2391902777.00000000030C2000.00000008.00000001.01000000.00000000.sdmp, iikbjmsy.15.dr, fsfj.3.dr, mtdwpx.10.dr
Source:	Binary string: msacm32.pdb source: cmd.exe, 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125375066.00000000027C2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217610841.0000000002722000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2391902777.00000000030C2000.00000008.00000001.01000000.00000000.sdmp, iikbjmsy.15.dr, fsfj.3.dr, mtdwpx.10.dr
Source:	Binary string: wntdll.pdbUGP source: DZIPR.exe, 00000001.00000002.1766986120.0000000003637000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1767892447.0000000003990000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125654234.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125276347.0000000004E25000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218110243.0000000005240000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217828864.0000000004DA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125976766.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125744520.0000000004714000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217750173.0000000004477000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2218057626.0000000004940000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391745006.0000000004D6D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392082164.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392370706.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392079481.0000000004C21000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DZIPR.exe, 00000001.00000002.1766986120.0000000003637000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1767892447.0000000003990000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125654234.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125276347.0000000004E25000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218110243.0000000005240000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217828864.0000000004DA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125976766.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125744520.0000000004714000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217750173.0000000004477000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2218057626.0000000004940000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391745006.0000000004D6D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392082164.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392370706.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392079481.0000000004C21000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\App\DZIPR\SDFRM\Release\SDFRM.pdb source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002724000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmp, DZIPR.exe, 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmp, DZIPR.exe, 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmp

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040301A
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402B79
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC8748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	1_2_6CC8748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C89748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	2_2_6C89748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F89748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	9_2_6F89748E

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: fullimmersion777.com

Source: DZIPR.exe, 00000001.00000002.1765606333.00000000033ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c0rl.m%L
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1765606333.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://support.datanumen.com
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: DZIPR.exe, 00000001.00000002.1766393271.00000000034E8000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.0000000005185000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.000000000510D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.0000000004589000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.000000000480D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.00000000050C1000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004F87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.repairfile.com
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1765606333.00000000033ED000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002F75000.00000004.00000020.00020000.00000000.sdmp, epht1Y3TGZ.exe, 00000000.00000003.1737006961.0000000002460000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000003.1756607781.0000000003D46000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.datanumen.com/zip-repair/
Source: DZIPR.exe, 00000001.00000002.1765606333.00000000033ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.c
Source: DZIPR.exe, 00000001.00000002.1766393271.000000000353F000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125498885.00000000051CE000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217993441.0000000005156000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125575098.00000000045D2000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217943505.0000000004856000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391935050.000000000510A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Potential key logger detected (key state polling based)

Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC904EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	1_2_6CC904EE
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A04EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	2_2_6C8A04EE
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A04EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	9_2_6F8A04EE

Yara detected Keylogger Generic

Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 15.2.cmd.exe.5155b57.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.DZIPR.exe.358b5ce.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.DZIPR.exe.358a9ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.5156757.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.cmd.exe.51a1b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.explorer.exe.461e757.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.explorer.exe.48a2757.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.explorer.exe.45d8a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.DZIPR.exe.3545901.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.explorer.exe.461db57.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.cmd.exe.515ca8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.cmd.exe.51a2757.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.5219b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.explorer.exe.48a1b57.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.explorer.exe.4fd6a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.explorer.exe.501c757.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 15.2.cmd.exe.5110a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.521a757.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 13.2.explorer.exe.485ca8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 17.2.explorer.exe.501bb57.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 3.2.cmd.exe.51d4a8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A0D95 NtdllDefWindowProc_W,	9_2_6F8A0D95
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A2932 _memset,NtdllDefWindowProc_W,	9_2_6F8A2932
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F89E5F6 NtdllDefWindowProc_W,CallWindowProcW,	9_2_6F89E5F6

Creates files inside the system directory

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\lnfast_x64.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_00404FAA	0_2_00404FAA
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_0041206B	0_2_0041206B
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_0041022D	0_2_0041022D
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_00411F91	0_2_00411F91
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC85E70	1_2_6CC85E70
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC863F0	1_2_6CC863F0
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC85CA0	1_2_6CC85CA0
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CCA2CBB	1_2_6CCA2CBB
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC96C6C	1_2_6CC96C6C
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC91D85	1_2_6CC91D85
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC9AE45	1_2_6CC9AE45
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CCA3E3B	1_2_6CCA3E3B
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC95FB7	1_2_6CC95FB7
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CCA586C	1_2_6CCA586C
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC96860	1_2_6CC96860
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC9648C	1_2_6CC9648C
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC817D0	1_2_6CC817D0
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CCA3743	1_2_6CCA3743
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC81739	1_2_6CC81739
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC81730	1_2_6CC81730
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC9708C	1_2_6CC9708C
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CCA31FF	1_2_6CCA31FF
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C895E70	2_2_6C895E70
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8963F0	2_2_6C8963F0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C895CA0	2_2_6C895CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8B2CBB	2_2_6C8B2CBB
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A6C6C	2_2_6C8A6C6C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A1D85	2_2_6C8A1D85
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8B3E3B	2_2_6C8B3E3B
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8AAE45	2_2_6C8AAE45
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A5FB7	2_2_6C8A5FB7
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8B586C	2_2_6C8B586C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A6860	2_2_6C8A6860
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A648C	2_2_6C8A648C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8917D0	2_2_6C8917D0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C891731	2_2_6C891731
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C891730	2_2_6C891730
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8B3743	2_2_6C8B3743
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A708C	2_2_6C8A708C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8B31FF	2_2_6C8B31FF
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F895E70	9_2_6F895E70
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8963F0	9_2_6F8963F0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A5FB7	9_2_6F8A5FB7
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8B3E3B	9_2_6F8B3E3B
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8AAE45	9_2_6F8AAE45
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A1D85	9_2_6F8A1D85
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F895CA0	9_2_6F895CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8B2CBB	9_2_6F8B2CBB
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A6C6C	9_2_6F8A6C6C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8B586C	9_2_6F8B586C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A6860	9_2_6F8A6860
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8917D0	9_2_6F8917D0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F891731	9_2_6F891731
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F891730	9_2_6F891730
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8B3743	9_2_6F8B3743
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A648C	9_2_6F8A648C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8B31FF	9_2_6F8B31FF
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A708C	9_2_6F8A708C

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\fsfj 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\iikbjmsy 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\mtdwpx 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F

Found potential string decryption / allocating functions

Source: C:\Users\user\DZIPR.exe	Code function: String function: 6CC953BC appears 48 times
Source: C:\Users\user\DZIPR.exe	Code function: String function: 6CC950C9 appears 66 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6C8A53BC appears 48 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6F8A50C9 appears 65 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6F8A53BC appears 48 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6C8A50C9 appears 65 times
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: String function: 0040243B appears 37 times

Sample file is different than original file name gathered from version info

Source: epht1Y3TGZ.exe, 00000000.00000003.1726094333.000000000252D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs epht1Y3TGZ.exe
Source: epht1Y3TGZ.exe, 00000000.00000002.1769642494.0000000000432000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs epht1Y3TGZ.exe
Source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002724000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDZIPR.DLL4 vs epht1Y3TGZ.exe
Source: epht1Y3TGZ.exe	Binary or memory string: OriginalFilename7ZSfxMod_x86.exe< vs epht1Y3TGZ.exe

Uses 32bit PE files

Source: epht1Y3TGZ.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Yara signature match

Source: 15.2.cmd.exe.5155b57.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.DZIPR.exe.358b5ce.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.DZIPR.exe.358a9ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.5156757.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.cmd.exe.51a1b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.explorer.exe.461e757.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.explorer.exe.48a2757.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.explorer.exe.45d8a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.DZIPR.exe.3545901.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.explorer.exe.461db57.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.cmd.exe.515ca8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.cmd.exe.51a2757.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.5219b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.explorer.exe.48a1b57.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.explorer.exe.4fd6a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.explorer.exe.501c757.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 15.2.cmd.exe.5110a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.521a757.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 13.2.explorer.exe.485ca8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 17.2.explorer.exe.501bb57.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 3.2.cmd.exe.51d4a8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@22/16@0/0

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

0_2_00407776

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_0040118A GetDiskFreeSpaceExW,SendMessageW,

0_2_0040118A

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

0_2_004034C1

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

0_2_00401BDF

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

File created: C:\Users\user\ekqqtq

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:744:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7044:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5660:120:WilError_03

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe

File created: C:\Users\user\AppData\Local\Temp\a1ba81aa

Jump to behavior

Source: Yara match	File source: 1.0.DZIPR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.1739235026.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1736102615.000000000277A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\DZIPR.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe, type: DROPPED

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: epht1Y3TGZ.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

File read: C:\Users\user\Desktop\epht1Y3TGZ.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\epht1Y3TGZ.exe "C:\Users\user\Desktop\epht1Y3TGZ.exe"
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"
Source: C:\Users\user\DZIPR.exe	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe "C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe"
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior

Source: oahisshhqlvln.3.dr

LNK file: ..\..\Roaming\Ruy_driverv2\DZIPR.exe

Source: epht1Y3TGZ.exe

Static file information: File size 4809996 > 1048576

Source:	Binary string: msacm32.pdbUGP source: cmd.exe, 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125375066.00000000027C2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217610841.0000000002722000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2391902777.00000000030C2000.00000008.00000001.01000000.00000000.sdmp, iikbjmsy.15.dr, fsfj.3.dr, mtdwpx.10.dr
Source:	Binary string: msacm32.pdb source: cmd.exe, 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125375066.00000000027C2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217610841.0000000002722000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2391902777.00000000030C2000.00000008.00000001.01000000.00000000.sdmp, iikbjmsy.15.dr, fsfj.3.dr, mtdwpx.10.dr
Source:	Binary string: wntdll.pdbUGP source: DZIPR.exe, 00000001.00000002.1766986120.0000000003637000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1767892447.0000000003990000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125654234.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125276347.0000000004E25000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218110243.0000000005240000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217828864.0000000004DA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125976766.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125744520.0000000004714000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217750173.0000000004477000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2218057626.0000000004940000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391745006.0000000004D6D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392082164.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392370706.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392079481.0000000004C21000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DZIPR.exe, 00000001.00000002.1766986120.0000000003637000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1767892447.0000000003990000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125654234.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000003.00000002.2125276347.0000000004E25000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2218110243.0000000005240000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000A.00000002.2217828864.0000000004DA3000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125976766.0000000004A70000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.2125744520.0000000004714000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2217750173.0000000004477000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.2218057626.0000000004940000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2391745006.0000000004D6D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000F.00000002.2392082164.00000000051F0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392370706.00000000050C0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000011.00000002.2392079481.0000000004C21000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\App\DZIPR\SDFRM\Release\SDFRM.pdb source: epht1Y3TGZ.exe, 00000000.00000003.1736102615.0000000002724000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 00000001.00000002.1769033320.000000006CCA8000.00000002.00000001.01000000.00000006.sdmp, DZIPR.exe, 00000002.00000002.1823311491.000000006C8B8000.00000002.00000001.01000000.00000009.sdmp, DZIPR.exe, 00000009.00000002.2032678434.000000006F8B8000.00000002.00000001.01000000.00000009.sdmp

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

PE file contains an invalid checksum

Source: DZIPR.dll.0.dr	Static PE information: real checksum: 0x601f9 should be: 0x5ee7e
Source: DZIPR.dll.1.dr	Static PE information: real checksum: 0x601f9 should be: 0x5ee7e
Source: epht1Y3TGZ.exe	Static PE information: real checksum: 0x33302 should be: 0x4a3c93
Source: mtdwpx.10.dr	Static PE information: real checksum: 0x0 should be: 0x7d505
Source: fsfj.3.dr	Static PE information: real checksum: 0x0 should be: 0x7d505
Source: iikbjmsy.15.dr	Static PE information: real checksum: 0x0 should be: 0x7d505

PE file contains sections with non-standard names

Source: DZIPR.exe.0.dr	Static PE information: section name: .didata
Source: DZIPR.exe.1.dr	Static PE information: section name: .didata
Source: fsfj.3.dr	Static PE information: section name: cmxvoc
Source: mtdwpx.10.dr	Static PE information: section name: cmxvoc
Source: iikbjmsy.15.dr	Static PE information: section name: cmxvoc

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_00411C20 push eax; ret	0_2_00411C4E
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC95401 push ecx; ret	1_2_6CC95414
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC951A1 push ecx; ret	1_2_6CC951B4
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A5401 push ecx; ret	2_2_6C8A5414
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A51A1 push ecx; ret	2_2_6C8A51B4
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A5401 push ecx; ret	9_2_6F8A5414
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A51A1 push ecx; ret	9_2_6F8A51B4

Drops PE files

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	File created: C:\Users\user\DZIPR.exe	Jump to dropped file
Source: C:\Users\user\DZIPR.exe	File created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Jump to dropped file
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	File created: C:\Users\user\DZIPR.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\fsfj	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\mtdwpx	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\iikbjmsy	Jump to dropped file
Source: C:\Users\user\DZIPR.exe	File created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.dll	Jump to dropped file

Drops PE files to the user directory

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	File created: C:\Users\user\DZIPR.exe			Jump to dropped file
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	File created: C:\Users\user\DZIPR.dll			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\fsfj	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\mtdwpx	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\iikbjmsy	Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	File created: C:\Users\user\DZIPR.exe			Jump to dropped file
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	File created: C:\Users\user\DZIPR.dll			Jump to dropped file

Creates job files (autostart)

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\lnfast_x64.job

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\FSFJ
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\MTDWPX
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\IIKBJMSY

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC8DE29 IsIconic,GetWindowPlacement,GetWindowRect,	1_2_6CC8DE29
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C89DE29 IsIconic,GetWindowPlacement,GetWindowRect,	2_2_6C89DE29
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F89DE29 IsIconic,GetWindowPlacement,GetWindowRect,	9_2_6F89DE29

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\DZIPR.exe	API/Special instruction interceptor: Address: 6C977C44
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API/Special instruction interceptor: Address: 6C977C44
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API/Special instruction interceptor: Address: 6C977945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6C973B54
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: 2DA317

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\fsfj	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\mtdwpx	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\iikbjmsy	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Users\user\DZIPR.exe	API coverage: 4.5 %
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API coverage: 4.7 %
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API coverage: 4.5 %

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	0_2_0040301A
Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: 0_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	0_2_00402B79
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC8748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	1_2_6CC8748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C89748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	2_2_6C89748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F89748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	9_2_6F89748E

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: DZIPR.exe, 00000001.00000002.1765606333.00000000033ED000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6vmware
Source: explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: explorer.exe, 00000011.00000002.2392238940.0000000004FD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0

Source: C:\Users\user\DZIPR.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\DZIPR.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\DZIPR.exe

Code function: 1_2_6CC93F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

1_2_6CC93F34

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

0_2_00406D5D

Contains functionality to read the PEB

Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC85CA0 mov eax, dword ptr fs:[00000030h]	1_2_6CC85CA0
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC85D78 mov eax, dword ptr fs:[00000030h]	1_2_6CC85D78
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C895CA0 mov eax, dword ptr fs:[00000030h]	2_2_6C895CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C895D78 mov eax, dword ptr fs:[00000030h]	2_2_6C895D78
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F895D78 mov eax, dword ptr fs:[00000030h]	9_2_6F895D78
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F895CA0 mov eax, dword ptr fs:[00000030h]	9_2_6F895CA0

Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC9CE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_6CC9CE5C
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC93F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6CC93F34
Source: C:\Users\user\DZIPR.exe	Code function: 1_2_6CC98034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_6CC98034
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8ACE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_6C8ACE5C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A3F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6C8A3F34
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 2_2_6C8A8034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_6C8A8034
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A3F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_6F8A3F34
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8ACE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	9_2_6F8ACE5C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 9_2_6F8A8034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_6F8A8034

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6F902C26	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6C8FCE9B	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6F902B04	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6C8966A2	Jump to behavior
Source: C:\Users\user\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6CC866A2	Jump to behavior
Source: C:\Users\user\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6F8966A2	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2336 base: 2D79C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2336 base: 2740000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 4280 base: 2D79C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 4280 base: 26A0000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6752 base: 2D79C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 6752 base: 3040000 value: 00	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2D79C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2740000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2D79C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 26A0000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 2D79C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 3040000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

Code function: 0_2_0040D72E cpuid

0_2_0040D72E

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe	Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,	0_2_00401F9D
Source: C:\Users\user\DZIPR.exe	Code function: GetLocaleInfoA,	1_2_6CCA4DBC
Source: C:\Users\user\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	1_2_6CC889B5
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoA,	2_2_6C8B4DBC
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	2_2_6C8989B5
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoA,	9_2_6F8B4DBC
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	9_2_6F8989B5

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

0_2_00401626

Source: C:\Users\user\DZIPR.exe

1_2_6CC9D72B

Source: C:\Users\user\Desktop\epht1Y3TGZ.exe

0_2_00404FAA

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.cmd.exe.56c00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 3.2.cmd.exe.5c300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.cmd.exe.57000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000011.00000002.2391830637.0000000003099000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2126221230.0000000005C30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2218362255.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2392314567.00000000056C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2217537794.00000000026F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2125303235.0000000002799000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7064, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2336, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4280, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 5296, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 6752, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\iikbjmsy, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\fsfj, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\mtdwpx, type: DROPPED

Windows Analysis Report
epht1Y3TGZ.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted URLs

ID:	1518342
Product:	CloudBasic
Start time:	16:05:18
Start date:	25.09.2024
Sample:	epht1Y3TGZ.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	25860926414bf43383246f7c773a8d6c
SHA1:	760390a4a14df085f4c841067f52c79409cdc93e
SHA256:	a8e552944846a2f5e8fefea4a250046da29d74d1f58f7a868258e6ded9597958
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\a1ba81aa	data	EF58D0A24D5A6DC00BD694737B1B1311	EE4BCF3C7E33A2E12F8AAB667BA3084708E7669D	46711314276A371E344EF069513E126BF7985DE21305C224E72F71C60C8157B1
C:\Users\user\AppData\Local\Temp\ae0a7065	data	6860961845BE2D1B60765FE94F123046	2E558086BCDB79B2AAAEAB90300DDD6E7F5311C2	7A96978DF43E62D0890CA095F4318E7FAF8B934B26592A6A1D08C26137DD2869
C:\Users\user\AppData\Local\Temp\b8f7a7f7	data	6DEFD53A2063A4A0C46249A25FC4FE15	E543AD180C96BCED734841B8E8BDDF1EECF9129A	6C12E719FBBF7DA82D625130440DCC4C4AB4AA6B16D82ACC4E3618EEC6DB30E2
C:\Users\user\AppData\Local\Temp\fsfj	PE32 executable (GUI) Intel 80386, for MS Windows	6CA401F82443B673FCA7D7DDB0A05357	82E54CBDCF4E12A72A32E52E0FD03C095485B841	7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
C:\Users\user\AppData\Local\Temp\iikbjmsy	PE32 executable (GUI) Intel 80386, for MS Windows	6CA401F82443B673FCA7D7DDB0A05357	82E54CBDCF4E12A72A32E52E0FD03C095485B841	7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
C:\Users\user\AppData\Local\Temp\mtdwpx	PE32 executable (GUI) Intel 80386, for MS Windows	6CA401F82443B673FCA7D7DDB0A05357	82E54CBDCF4E12A72A32E52E0FD03C095485B841	7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
C:\Users\user\AppData\Local\Temp\oahisshhqlvln	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 25 13:06:17 2024, mtime=Wed Sep 25 13:06:18 2024, atime=Wed Sep 25 10:50:28 2024, length=8767704, window=hide	B98004BE7156029147766B196D3DBE43	19C76031B66F62FA78EBE8E804C435732E9D44BC	80B8EAB030788EC3C55735D154802EDD4C1BCEACC9FEAA836B6F08FC36078E2A
C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	AD28D4167571382569D2384FFD7BD2A9	EFC7534BCB1645D4056702E073519F571D8DB77B	F919A8E63EC0F2F05AC01A6CAB4088C13FBF14A38B071CFA9F710C9E069462EB
C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	PE32 executable (GUI) Intel 80386, for MS Windows	EC9CE1D67F98072281015C7726FBA245	E89B16265ACF4A251B527DDF22830F2650987263	9AB4145D5525AE741B80F4E66F505ABBA59ADCBE01868DFEF84FBE4450634CC1
C:\Users\user\AppData\Roaming\Ruy_driverv2\ekqqtq	data	4649F3A4E58C6040B07F6D486C149A71	64F8FC631C5FB4E5F6BC20C207047D8E2B500587	5D81CA77492946AA2CFE00349342DE8CCEB317D8649BEDBFD95992DCA885F184
C:\Users\user\AppData\Roaming\Ruy_driverv2\ipqtwm	data	F125E72B3968CA233EF3C7E2F4DB34E7	4FB34044EF18CEDBD3EDE4272C44416D3F11735C	CED30560C6C0FC15CBDBDBC0D480DCA6B41CE3183057E43B419DD6814A33DB92
C:\Users\user\DZIPR.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	AD28D4167571382569D2384FFD7BD2A9	EFC7534BCB1645D4056702E073519F571D8DB77B	F919A8E63EC0F2F05AC01A6CAB4088C13FBF14A38B071CFA9F710C9E069462EB
C:\Users\user\DZIPR.exe	PE32 executable (GUI) Intel 80386, for MS Windows	EC9CE1D67F98072281015C7726FBA245	E89B16265ACF4A251B527DDF22830F2650987263	9AB4145D5525AE741B80F4E66F505ABBA59ADCBE01868DFEF84FBE4450634CC1
C:\Users\user\ekqqtq	data	4649F3A4E58C6040B07F6D486C149A71	64F8FC631C5FB4E5F6BC20C207047D8E2B500587	5D81CA77492946AA2CFE00349342DE8CCEB317D8649BEDBFD95992DCA885F184
C:\Users\user\ipqtwm	data	F125E72B3968CA233EF3C7E2F4DB34E7	4FB34044EF18CEDBD3EDE4272C44416D3F11735C	CED30560C6C0FC15CBDBDBC0D480DCA6B41CE3183057E43B419DD6814A33DB92
C:\Windows\Tasks\lnfast_x64.job	data	D0F4475729B019BBFFDAA36502E5843E	D9771DD87515EA0B8A3C332E8FB7162C69940CD3	09C1D502A1ABA5A0E4491661DD6B02C9C480BB847262F4164F7871DA58FC92A8

Windows Analysis Report epht1Y3TGZ.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted URLs

Windows Analysis Report
epht1Y3TGZ.exe

Malware Threat Intel
Provided by